Anda di halaman 1dari 306




Information Technology

Head Office
Shraddha, 4th Floor, Old Nagardas Road,
Near Chinai College, Andheri (E), Mumbai - 400 069.
022 - 2683 66 66






3. 78 – 141


4. 142 – 183



Categories Supporting



Automation Benefits


Risk Management and

Controls Procure to Pay (P2P)

Order to Cash (O2C)


Specific Business Inventory Cycle

Human Resources

Fixed Assets

General Ledger

Flow charts
Data Flow Diagrams

The Companies Act,

Regulatory and 2013
Requirements IT Act, 2000

1. Explain Enterprise Information System (EIS)

An Enterprise Information System (EIS) may be defined as any kind of information

system which improves the functions of an enterprise business processes by
integration. This means classically offering high quality services, dealing with large
volumes of data and capable of supporting some huge and possibly complex
organization or enterprise. All parts of EIS should be usable at all levels of an
enterprise as relevant. An EIS provide a technology platform that enable organizations
to integrate and coordinate their business processes on a robust foundation. An EIS
provides a single system that is central to the organization that ensures information
can be shared across all functional levels and management hierarchies. It may be
used to amalgamate existing applications. An EIS can be used to increase business
productivity and reduce service cycles, product development cycles and marketing life
cycles. Other outcomes include higher operational efficiency and cost savings.
For example, when a customer places an order, the data flow automatically to other
fractions of the company that are affected by them leading to the enhanced
coordination between these different parts of the business which in turn lowers costs
and increase customer satisfaction.
· The order transaction triggers the warehouse to pick the ordered products and
schedule shipment.
· The warehouse informs the factory to replenish whatever has depleted.
· The accounting department is notified to send the customer an invoice.
· Customer service representatives track the progress if the order through every
step to inform customers about the status of their orders.

2. Explain following terms:

· Business Process
· Business Process Management

Business Process:
A Business Process is an activity or set of activities that will accomplish a specific
organizational goal.
Business Process Management (BPM):
Business Process Management (BPM) is a systematic approach to improving these

The details of these processes are shown in below:

Vision, Operational Processes with Cross Functional
Strategy, Linkages
Develop and Market and Sell Deliver Products Manage
Management Manage Products and and Services Customer
Products and Services Services
Vision and

Management and Support Processes]

Human Information
Business Planning, Financial Facilities
Resource Technology Management Management
Merger Acquisition Management Management


Legal, External Knowledge,

Governance and Regulatory, Relationship Improvement
Compliance Environment, Management and Change
Health & Safety Management

3. In Enterprise Business Processes, what is the difference between Operational

Processes, Supporting Processes and Management Processes? Give examples.

Depending on the organization, industry and nature of work; business processes are
often broken up into different categories as shown
Categories of Business Processes

Operational Processes Supporting Processes Management Processes

I. Operational Processes (or Primary Processes)

Operational or Primary Processes deal with the core business and value
chain. These processes deliver value to the customer by helping to produce a
product or service. Operational processes represent essential business activities
that accomplish business objectives, eg. Generating revenue - Order to Cash
cycle, procurement - Purchase to Pay cycle.

Order to Cash Cycle (Example)

Order to Cash (OTC or 02C) is a set of business processes that involves
receiving and fulfilling customer requests for goods or services.
An order to cash cycle consists of multiple sub-processes as shown in the Fig.
· Customer Order: Customer order received is documented.
· Order Fulfillment: Order is fulfilled or service is scheduled.
· Delivery Note: Order is shipped to customer or service is performed with
delivery note.
· Invoicing: Invoice is created and sent to customer.
· Collections: Customer sends payment /collection.
· Accounting: Collection is recorded in general ledger.

Customer Order Delivery

Invoicing Collections Accounting
Order Fulfilment Note
Order to Cash Cycle

II. Supporting Processes (or Secondary Processes)

Supporting Processes back core processes and functions within an
organization. Examples of supporting or management processes include
Accounting, Human Resource (HR) Management and workplace safety. One key
differentiator between operational and support processes is that support
processes do not provide value to customers directly. However, it should be
noted that hiring the right people for the right job has a direct impact on the
efficiency of the enterprise.

Human Resource Management (Example)
The main HR Process Areas are grouped into logical functional areas and they
are as follows:
· Recruitment and Staffing
· Goal Setting
· Training and Development
· Compensation and Benefits
· Performance Management
· Career Development
· Leadership Development

III. Management Processes

Management processes measure, monitor and control activities related to
business procedures and systems. Examples of management processes include
internal communications, governance, strategic planning, budgeting, and
infrastructure or capacity management. Like supporting processes, management
processes do not provide value directly to the customers. However, it has a direct
impact on the efficiency of the enterprise.
Budgeting (Example)
Referring to the following Fig., in any enterprise, budgeting needs to be driven by
the vision (what enterprise plans to accomplish) and the strategic plan (the steps
to get there). Having a formal and structured budgeting process is the foundation
for good business management, growth and development.

Vision Strategic Plan Business Goals Cost Projections Profit Projections Board Approval Budget Review

Budgeting Process

4. Explain Business Process Automation

· Business Process Automation (BPA) is the technology-enabled automation of
activities or services that accomplish a specific function and can be implemented
for many different functions of company activities, including sales, management,
operations, supply chain, human resources, information technology, etc.
· In other words, BPA is the tactic a business uses to automate processes to
operate efficiently and effectively.
· It consists of integrating applications and using software applications throughout
the organization.
· BPA is the tradition of analyzing, documenting, optimizing and then automating
business processes.

5. Explain the success factors while implementing BPA in an organization? Or

What are the objectives of Business Process Automation (BPA) (PM) (Nov 14)

The key objectives of BPA are to provide efficient and effective business
process. The success of any business process automation shall only be
achieved when BPA ensures:

· Confidentiality: To ensure that data is only available to persons who have

right to see the same;

· Integrity: To ensure that no un-authorized amendments can be made in the
data. i.e. data is error free.
· Availability: To ensure that data is available as and when required.
· Timeliness: To ensure that data is made available in at the right time.
In order to successfully achieve above parameter, BPA needs to implement
appropriate controls.

6. What are the benefits of Automating Business Processes?

Quality & Consistency

· Ensures that every action is performed identically - resulting in high quality,
reliable results and stakeholders will consistently experience the same level of
Time Saving
· Automation reduces the number of tasks employees would otherwise need to do
· It frees up time to work on items that add genuine value to the business, allowing
innovation and increasing employees’ levels of motivation.
· Automated processes are controlled and consistently operate accurately within
the defined timeline. It gives visibility of the process status to the organisation.
Improved Operational Efficiency
· Automation reduces the time it takes to achieve a task, the effort required to
undertake it and the cost of completing it successfully.
· Automation not only ensures systems run smoothly and efficiently, but that errors
are eliminated and that best practices are constantly leveraged.
· The consistency of automated processes means stakeholders can rely on
business processes to operate and offer reliable processes to customers,
maintaining a competitive advantage.
Reduced Turnaround Times
· Eliminate unnecessary tasks and realign process steps to optimise the flow of
information throughout production, service, billing and collection. This adjustment
of processes distills operational performance and reduces the turnaround times
for both staff and external customers.

Reduced Costs
· Manual tasks, given that they are performed one-at-a-time and at a slower rate
than an automated task, will cost more. Automation allows you us accomplish
more by utilising fewer resources.

7. Explain How to go about BPA?

Explain steps in implementing business process automation.

Business process automation is a complex task especially for organizations involved

in complex processes. In addition, it is difficult to automate all the business processes
therefore organization should analyze the critical processes which will provide better
benefits through automation.

The steps to go about implementing business process automation:

Step 1: Define why we plan to implement a BPA - The primary purpose for which
enterprise implements automation may vary from enterprise to enterprise.
§ Errors in manual processes leading to higher costs.
§ Payment processes not streamlined, due to duplicate or late payments, missing
early pay discounts, and losing revenue.
§ Paying for goods and services not received.
§ Poor debtor management leading to high invoice aging and poor cash flow.
§ Not being able to find documents quickly during an audit or lawsuit or not being
able to find all documents.
§ Poor customer service.

Step 2: Understand the rules / regulation under which enterprise needs to

comply with - One of the most important steps in automating any business process is
to understand the rules of engagement, which include the rules, adhering to
regulations and document retention requirements. i.e. BPA should be as per
applicable laws and policies. It is important to understand that laws may require
documents to be retained for specified number of years and in a specified format.
Entity needs to ensure that any BPA adheres to the requirements of law.

Step 3: Document the process, we wish to automate - At this step, the processes
which organization wants to automate should be documented. The processes are
designed on paper or with computer software. The design of the process is normally
prepared with flowcharts.
The key benefits of documenting the processes are:
§ Provides clarity about the processes
§ It helps to determine the problems and issues in the processes

Step 4: Define the objectives / goals to be achieved by implementing BPA - Once

the above steps have been completed, entity needs to determine the key objectives /
reasons of the process improvement activities. The BPA needs to follow the
SMART principle i.e.;
§ Specific: Clearly defined,
§ Measurable: Easily quantifiable in monetary terms,
§ Attainable: Achievable through best efforts,
§ Relevant: Entity must be in need of these, and
§ Timely: Achieved within a given time frame.

Step 5: Engage the business process consultant - To achieve BPA, decide which
company / consultant to partner with, depends upon following:
§ Objectivity of consultant in understanding/evaluating entity situation.
§ Does the consultant have experience with entity business process?
§ Is the consultant experienced in resolving critical business issues?
§ Whether the consultant is capable of recommending and implementing a
combination of hardware, software and services as appropriate to meeting
enterprise BPA requirements?
Overall, the appointed consultant should help organization to achieve the business
objectives of BPA and should help organization to adopt optimum BPA solutions.

Step 6: Calculate the ROI for project - The right stakeholders need to be engaged
and involved to ensure that the benefits of BPA are clearly communicated and
implementation becomes successful.
Some of points which may justify BPA implementation are;
§ Cost Savings, being clearly computed and demonstrated.
§ How BPA could lead to reduction in required manpower leading to no new
recruits need to be hired and how existing employees can be re-deployed or
used for further expansion.
§ Savings in employee salary by not having to replace those due to attrition.
§ The cost of space regained from paper, file cabinets, reduced.
§ Eliminating fines to be paid by entity due to delays being avoided.
§ Reducing the cost of audits and lawsuits.
§ Taking advantage of early payment discounts and eliminating duplicate
§ New revenue generation opportunities.
§ Collecting accounts receivable faster and improving cash flow.

Step 7: Developing the BPA - Once the requirements have been document, ROI has
been computed and top management approval to go ahead has been received, the
consultant develops the requisite BPA.

Step 8: Testing the BPA - Once developed, it is important to test the new process to
determine how well it works and the process of testing is an iterative process, the
objective being to remove all problems during this phase.

Step 1: Define why we plan to implement The answer to this question will provide
BPA? justification for implementing BPA.
Step 2: Understand the rules/ regulation The underlying issue is that any BPA
under which it needs to comply with? created needs to comply with applicable
laws and regulations.
Step 3: Document the process, we wish to The current processes which are planned
automate. to be automated need to be correctly and
completely documented at this step.
Step 4: Define the objectives/goals to be This enables the developer and user to
achieved by implementing BPA. understand the reasons for going for BPA.
The goals need to be precise and clear.
Step 5: Engage the business process Once the entity has been able to define the
consultant. above, the entity needs to appoint an
expert, who can implement it for the entity.
Step 6: Calculate the Rol for project. The answer to this question can be used
for convincing top management to say ‘yes’
to the BPA exercise.
Step 7: Development of BPA. Once the top management grant their
approval, the right business solution has to
be procured and implemented or
developed and implemented covering the
necessary BPA.
Step 8: Testing the BPA. Before making the process live, the BPA
solutions should be fully tested.

8. Explain enterprise risk management

Enterprise Risk Management (ERM) may be defined as a process, effected by an

entity’s Board of Directors, management and other personnel, designed to identify
potential events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity
The underlying premise of Enterprise Risk Management (ERM) is that every entity,
whether for profit, not-for-profit, or a governmental body, exists to provide value for its
stakeholders. All entities face uncertainty, and the challenge for management is to
determine how much uncertainty the entity is prepared to accept as it strives to grow
stakeholder value. Uncertainty presents both risk and opportunity, with the potential to
erode or enhance value. ERM provides a framework for management to effectively
deal with uncertainty and associated risk and opportunity and thereby enhance its
capacity to build value.

9. What are the benefits of Enterprise Risk Management

No entity operates in a risk-free environment, and ERM does not create such an
environment. Rather, it enables management to operate more effectively in
environments filled with risks. ERM provides enhanced capability to do the following:
· Align risk appetite and strategy: Risk appetite is the degree of risk, on a broad-
based level that an enterprise (any type of entity) is willing to accept to achieve
its goals. Management considers the entity’s risk appetite first in evaluating
strategic alternatives and setting objectives.
· Link growth, risk and return: Entities accept risk as part of value creation and
preservation, and they expect return matching with the risk. ERM provides an
enhanced ability to identify and assess risks, and establish acceptable levels of
risk relative to growth and return objectives.
· Enhance risk response decisions: ERM provides the means to identify and
select among alternative risk responses - risk avoidance, reduction, sharing and
acceptance. ERM provides methodologies and techniques for making these
· Minimize operational surprises and losses: Entities have enhanced capability
to identify potential events, assess risk and establish responses, thereby
reducing the occurrence of surprises and related costs or losses.
· Identify and manage cross-enterprise risks: Every entity faces number of
risks affecting different parts of the enterprise. Management needs to not only
manage individual risks, but also understand interrelated impacts.
· Provide integrated responses to multiple risks: Business processes carry
many inherent risks, and ERM enables integrated solutions for managing the
· Seize opportunities: Management considers potential events, rather than just
risks, and by considering a full range of events, management gains an
understanding of how certain events represent opportunities.

10. Explain the main components of Enterprise Risk Management

ERM consists of eight interrelated components. These components are as follows:

(i) Internal Environment: The internal environment encompasses the tone of an
organization, and sets the basis for how risk is viewed and addressed by an

entity’s people, and the environment in which they operate. The internal
environment sets the foundation for how risk and control are viewed and
addressed by an entity’s people.
(ii) Objective Setting: Objectives in line with entity’s mission / vision should be set
before management can identify events potentially affecting their achievement.
(iii) Event Identification: Potential events which includes risks and opportunities that
might have an impact on the entity should be identified. Event identification
includes identifying factors - internal and external - that influence how potential
events may affect strategy implementation and achievement of objectives.
(iv) Risk Assessment: Identified risks are analyzed to form a basis for determining
how they should be managed. Risk assessment is done to identify impact of such
risks on the organization objectives and strategy.
(v) Risk Response: Management selects a response strategy or combination of it
including avoiding, accepting, reducing and sharing risk.
(vi) Control Activities: Policies and procedures are established and executed to
ensure that the risk responses management selected, are effectively carried out.
(vii) Information and Communication: Relevant information is identified, captured
and communicated in a form and time frame that enable people to carry out their
responsibilities. Information is needed at all levels of an entity for identifying,
assessing and responding to risk.
(viii) Monitoring: The entire ERM process should be monitored, and modifications
made as necessary. Monitoring is accomplished through ongoing management
activities, separate evaluations of the ERM processes or a combination of the

11. Explain Risk and risks of business process automation.

Risk is any event that may result in a significant deviation from a planned objective
resulting in an unwanted negative consequence. The degree of risk associated with an
event is determined by the likelihood (uncertainty, probability) of the event occurring,
the consequences (impact) if the event were to occur and it’s timing.
Risks of Business Process Automation
The risks are classified below:
· Input & Access: All input transaction data may not be accurate, complete and
· File & Data Transmission: All files and data transmitted may not be processed
accurately and completely, due to network error.
· Processing: Valid input data may not have been processed accurately and
completely due to program error or bugs.
· Output: Is not complete and accurate due to program error or bugs and is
distributed to unauthorized personnel due to weak access control.
· Data: Master data and transaction data may be changed by unauthorized
personnel due to weak access control.
· Infrastructure (facility): All data & programs could be lost if there is no proper
backup in the event of a disaster and the business could come to a standstill.

12. Explain the different types of Business Risks

· Strategic: Risk that would prevent an organization from accomplishing its

objectives (meeting its goals).

· Financial: Risk that could result in a negative financial impact to the
organization (waste or loss of assets).
· Regulatory (Compliance): Risk that could expose the organization to fines and
penalties from a regulatory agency due to non-compliance with laws and
· Reputational: Risk that could expose the organization to negative publicity.
· Operational: Risk that could prevent the organization from operating in the
most effective and efficient manner.

13. Explain term control

Control is defined as policies, procedures, practices and organization structure that

are designed to provide reasonable assurance that business objectives are achieved
and undesired events are prevented or detected and corrected.
SA-315 defines the system of internal control as the plan of enterprise and all the
methods and procedures adopted by the management of an entity to assist in
achieving management’s objective of ensuring, as far as practicable, the orderly and
efficient conduct of its business, including adherence to management policies, the
safeguarding of assets, prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and the timely preparation of reliable
financial information.
The system of internal control is said to be well designed and properly operated
· All transactions are executed in accordance with management’s general or
specific authorization;
· All transactions are promptly recorded in the correct amount, in the appropriate
accounts and in the accounting period during which it is executed to permit
preparation of financial information within a framework of recognized accounting
policies and practices and relevant statutory requirements, if any, and to maintain
accountability for assets;
· Assets are safeguarded from unauthorized access, use or disposition; and
· The recorded assets are compared with the existing assets at reasonable
intervals and appropriate action is taken to reconcile any differences.

Based on the mode of implementation, these controls can be manual, automated or

semi-automated (partially manual and partially automated). The objective of a control
is to mitigate the risk.
· Manual Control: Manually verify that the goods ordered in PO (A) are received
(B) in good quality and the vendor invoice (C) reflects the quantity & price are as
per the PO (A).
· Automated Control: The above verification is done automatically by the
computer system by comparing (D), (E) & (F) and exceptions highlighted.
· Semi-Automated Control: Verification of. Goods Receipt (E) with PO (D) could
be automated but the vendor invoice matching could be done manually in a
reconciliation process (G).

Example - Purchase to Pay: Given below is a simple example of controls for the
Purchase to Pay cycle, which is broken down to four main components as shown in
the Fig.
· Purchases: When an employee working in a specific department (i.e.,
marketing, operations, sales, etc.) wants to purchase something required for

: 10 :
carrying out the job, he/she will submit a Purchase Requisition (PR) to a
manager for approval. Based on the approved PR a Purchase Order (PO) is
raised. The PO may be raised manually and then input into the computer system
or raised directly by the computer system.
· Goods Receipt: The PO is then sent to the vendor, who will deliver the goods as
per the specifications mentioned in the PO. When the goods are received at the
warehouse, the receiving staff checks the delivery note, PO number etc. and
acknowledges the receipt of the material. Quantity and quality are checked and
any unfit items are rejected and sent back to the vendor. A Goods Receipt Note
(GRN) is raised indicating the quantity received. The GRN may be raised
manually and then input into the computer system or raised directly by the
computer system.

Purchase Vendor Invoice

Vendor Vendor Invoice
Requisition Payment

Credit Purchase Input Invoice

Goods Receipt
Order Details

Input Purchase Input Receipt

Order Information

Purchase Order Accounts Payable

Purchase Cycle - Sample Controls

· Invoice Processing: The vendor sends the invoice to the accounts payable
department who will input the details into the computer system. The vendor
invoice is checked with the PO to ensure that only the goods ordered have been
invoiced and at the negotiated price. Further the vendor invoice is checked with
the GRN to ensure that the quantity ordered has been received.
· Payment: If there is no mismatch between the PO, GRN and vendor invoice, the
payment is released to the vendor based on the credit period negotiated with
the vendor.

14. Explain internal Control System

· Internal Controls are a system consisting of specific policies and procedures

designed to provide management with reasonable assurance that the goals and
objectives it believes important to the entity will be met.
· “Internal Control System” means all the policies and procedures adopted by
the management of an entity to assist in achieving management’s objective of
ensuring, as far as practicable, the orderly and efficient conduct of its business,
including adherence to management policies, the safeguarding of assets, the
prevention and detection of fraud and error, the accuracy and completeness of
the accounting records, and the timely preparation of reliable financial

: 11 :
An Internal Control System:
· Facilitates the effectiveness and efficiency of operations.
· Helps ensure the reliability of internal and external financial reporting.
· Assists compliance with applicable laws and regulations.
· Helps safeguarding the assets of the entity.
The extent and nature of the risks to internal control vary depending on the nature
and characteristics of the entity’s information system. The entity responds to the risks
arising from the use of IT or from use of manual elements in internal control by
establishing effective controls considering the characteristics of the entity’s information

15. Explain five components of Internal Control as per SA 315.

SA 315 explains the five components of any internal control as they relate to a
financial statement audit. The five components are as follows:
· Control Environment
· Risk Assessment
· Control Activities
· Information and Communication
· Monitoring of Controls

I. Control Environment
The Control Environment is the set of standards, processes, and structures that
provide the basis for carrying out internal control across the organization. The board of
directors and senior management establish the tone at the top regarding the
importance of internal control, including expected standards of conduct.
The control environment is manifested in management’s operating style, the
ways authority and responsibility are assigned, the functional method of the audit
committee, the methods used to plan and monitor performance and so on.

II. Risk Assessment

Every entity faces a variety of risks from external and internal resources. Risk may be
defined as the possibility that an event will occur and adversely affect the achievement
of objectives. Risk assessment involves process for identifying and assessing risks to
the achievement of objectives. Risks to the achievement of these objectives from
across the entity are considered relative to established risk tolerances.

III. Control Activities

Control Activities are the actions established through policies and procedures that
help ensure achievement of objectives are carried out. Control activities are performed
at all levels of the entity, at various stages within business processes, and over the
technology environment. They may be preventive or detective in nature and may
encompass a range of manual and automated activities.

Control includes,
Segregation of Duties (SOD) is the process of assigning different people the
responsibilities of authorizing transactions, recording transactions, and maintaining
custody of assets. Segregation of duties is intended to reduce errors or fraud in the
normal course of the person’s duties.

: 12 :
General Controls include controls over information technology management,
information technology infrastructure, security management and software acquisition,
development and maintenance.
Application Controls are designed to ensure completeness, accuracy, authorization
and validity of data capture and transaction processing.

IV. Information & Communication

Information is necessary for the entity to carry out internal control responsibilities in
support of the achievement of its objectives. Management obtains and uses relevant
and quality information from both internal and external sources to support the
functioning of other components of internal control.
Communication is the continues process of providing, sharing, and obtaining
necessary information.
It contains elements which inform and communicate to users on timely basis.

V. Monitoring of Controls
Ongoing evaluations, separate evaluations, or some combination of the two are used
to ascertain whether each of the five components of internal control present and
functioning. Findings are evaluated against management’s criteria and deficiencies are
communicated to management and the board of directors as appropriate.

16 Explain Limitations of Internal Control System

Internal control, no matter how effective, can provide an entity with only reasonable
assurance and not absolute assurance about achieving the entity’s operational,
financial reporting and compliance objectives. Internal control systems are subject to
certain inherent limitations, such as:
· Management’s consideration that the cost of an internal control doesn’t exceed
the expected benefits to be derived.
· The fact that most internal controls do not tend to be directed at transactions of
unusual nature. The potential for human error, such as, due to carelessness,
distraction, mistakes of judgement and misunderstanding of instructions.
· The possibility of circumvention of internal controls through collusion with
employees or with parties outside the entity.
· The possibility that a person responsible for exercising an internal control could
abuse that responsibility, for example, a member of management overriding an
internal control.
· Manipulations by management with respect to transactions or estimates and
judgements required in the preparation of financial statements.


17. Explain Flowchart

· Flowcharts are used in designing and documenting simple processes or
programs. Like other types of diagrams, they help visualize what is going on and
thereby help understand a process, and perhaps also find flaws, bottlenecks.
There are many different types of flowcharts, and each’ type has its own
repertoire of boxes and notational conventions.
· The two most common types of boxes in a flowchart are as follows:
§ Processing step, usually called activity, and denoted as a rectangular box.
§ Decision, usually denoted as a diamond.

: 13 :
I. Flowcharting Symbols

II. Steps for creating flowcharts for business processes

· Identify the business process that are to be documented with a flowchart and
establish the overall goal of the business process.
· Based on inputs from the business process owner obtain a complete
understanding of the process flow.
· Prepare an initial rough diagram and discuss with the business process owner
to confirm your understanding of the processes.
· Obtain additional information about the business process from the people
involved in each step, such as end users, stakeholders, administrative assistants
and department heads.
· Identify the activities in each process step and who is responsible for each
· Identify the starting point of the process. The starting point of a business
process should be what triggers the process to action. In other words, it is the
input that the business seeks to convert into an output.
· Separate the different steps in the process. Identify each individual step in the
process and how it is connected to the other steps.
· In traditional Business Process Modeling Notation (BPMN), the steps are
represented by different shapes depending on their function. For example, we
would use steps such as “customer order” (an event), “process order” (an
activity), “Check credit” (an action), “Credit” (a decision gateway that leads to one
of two other actions, depending on a “yes” or “no” determination), and so on.

: 14 :
· Clarify who or what performs each step.
Lamp doesn’t work

Lamp No Plug in lamp

plugged in?


Bulb Yes
Replace bulb
burned out?


Repair lamp

Simple Flowchart

18. Explain various advantages of flowcharts

(i) Quicker grasp of relationships - The relationship between various elements of
the application program/business process must be identified. Flowchart can help
depict a lengthy procedure more easily than by describing it by means of written
(ii) Effective Analysis - The flowchart becomes a blue print of a system that can be
broken down into detailed parts for study. Problems may be identified and new
approaches may be suggested by flowcharts.
(iii) Communication - Flowcharts aid in communicating the facts of a business
problem to those whose skills are needed for arriving at the solution.
(iv) Documentation - Flowcharts serve as a good documentation which aid greatly
in future program conversions. In the event of staff changes, they serve as
training function by helping new employees in understanding the existing
(v) Efficient coding - Flowcharts act as a guide during the system analysis and
program preparation phase. Instructions coded in a programming language may
be checked against the flowchart to ensure that no steps are omitted.
(vi) Program Debugging - Flowcharts serve as an important tool during program
debugging. They help in detecting, locating and removing mistakes.
(vii) Efficient program maintenance - The maintenance of operating programs is
facilitated by flowcharts. The charts help the programmer to concentrate attention
on that part of the information flow which is to be modified.

19. Explain various limitations of Flowchart

(i) Complex logic - Flowchart becomes complex and clumsy where the problem
logic is complex.
(ii) Modification - If modifications to a flowchart are required, it may require
complete re-drawing.
(iii) Reproduction - Reproduction of flowcharts is often a problem because the
symbols used in flowcharts cannot be typed.
(iv) Link between conditions and actions - Sometimes it becomes difficult to
establish the linkage between various conditions and the actions to be taken
there upon for a condition.
(v) Standardization – No uniform practice is followed for drawing.

: 15 :
Example 1: Draw a Flowchart for finding the sum of first 100 odd numbers.
Solution : The flowchart is drawn as Fig. 1.7.3 and is explained step by step below. The
step numbers are shown in the flowchart in circles and as such are not a part of the
flowchart but only a referencing device.
Our purpose is to find the sum of the series 1, 3, 5, 7, 9,…………………….(100 terms.) The
student can verify that the 100th term would be 199. We propose to set A = 1 and then go
on incrementing it by 2 so that it holds the various terms of the series in turn. B is an
accumulator in the sense that A is added to B whenever A is incremented. Thus, B will hold:
4 + 5 = 9,
9 + 7 = 16, etc. in turn.
Step 1 - All working locations are set at zero. This is necessary because if they are holding
some data of the previous program, that data is liable to corrupt the result of the flowchart.
Step 2 - A is set at 1 so that subsequently by incrementing it successively by 2, we get the
wanted odd terms: 1,3,5,7 etc.
Step 3 - A is poured into B i.e., added to B. B being 0 at the moment and A being 1, B
becomes 0 + 1 = 1.
Step 4 - Step 4 poses a question. “Has A become 1999” if not, go to step 5, we shall
increment A by 2. So that although at the moment A is 1, it will be made 3 in step 5, and so
on. Then go back to step 3 by forming loop.



B=B+A 3

A = 199



Flowchart for addition of first 100 odd numbers

Since we must stop at the 100th term which is equal to 199, Thus, A is repeatedly
incremented in step 5 and added to B in step 3. In other words, B holds the cumulative sum
up to the latest terms held in A.
When A has become 199 that means the necessary computations have been carried out so
that in step 6 the result is printed.

: 16 :
Example 2
An E-commerce site has the following cash back offers.
(i) If the purchase mode is via website, an initial discount of 10% is given on the bill
(ii) If the purchase mode is via phone app, an initial discount of 20% is given on the bill
(iii) If done via any other purchase mode, the customer is not eligible for any discount.
Every purchase eligible to discount is given 10 reward points.
(a) If the reward points are between 100 and 200 points, the customer is eligible for a
further 30% discount on the bill amount after initial discount.
(b) If the reward points exceed 200 points, the customer is eligible for a further 40%
discount on the bill amount after initial discount.
Taking purchase mode, bill amount and number of purchases as input; draw a
flowchart to calculate and display the total reward points and total bill amount payable
by the customer after all the discount calculation.
Refer Fig. 1.7.4, let us define the variables first:
PM: Purchase Mode BA: Bill Amount TBA: Total Bilk Amount
NOP: Number of Purchases TRP: Total Reward Points IN DISC: Initial Discount
ET_DISC: Extra Discount on purchases eligible to Initial Discount
N: Counter (to track the no. of purchases),

: 17 :
20. Explain data flow diagrams.
· Data Flow Diagram (DFD) is a graphical representation of the flow of data
through a business process and information system.
· It represents the flow of data from source to destination.
· DFD is a graphical representation for logical flow of data. It helps in expressing
system logics in a simple and easy to understand form.
DFD basically provides an overview of:
· What data a system processes;
· What transformations are performed;
· What data are stored;
· What results are produced and where they flow.
It is mainly used by technical staff for graphically communicating between
analysts and programmers.

Main symbols used in DFD

Process Step-by-step instructions are followed that
transform inputs into outputs (a computer
or person or both doing the work).
Data flow Data flowing from place to place, such as
an input or output to process.
External agent The source or destination of data outside
the system.
Data Store Data at rest, being stored for later use.
Usually corresponds to a data entity on an
entity-relationship diagram.
Real-time link Communication back and forth between an
external agent and a process as the
process is executing (e.g., credit card
DFD Symbols
Data Flow Diagrams - Processes are identified to functional departments.
Given below is a simple scenario depicting a book borrowed from a library being, returned
and the fine calculated, due to delay.
Book Id Fine
Bar Code
Scan Bar Calculate
Book Borrower
Code Fine

Date due back

Library database
Simple DFD (Example)
· The book is represented as an external entity and the input is the bar code.
· The process is the scanning of the bar code and giving an output of the Book ID.
· The next process calculates the fine based on accessing the “library database” and
establishing the “due back” date.
· Finally, the fine is communicated to the borrower who is also shown as an external

: 18 :
Diagrammatic Representation of Specific Business Processes
I. Customer Order Fulfillment (Refer Fig.)
· The process starts with the customer placing an order and the sales department
creating a sales order.
· The sales order goes through the Credit & Invoicing process to check credit (an
activity) is it OK? (a decision gateway).
· If the customer’s credit check is not OK, you would move to the step “credit
problem addressed” (an activity), followed by a decision “OK?”. If, “No” the order
will be stopped.
· If the customer’s “credit check” response is “yes”, and if stock is available, an
invoice is prepared, goods shipped and an invoice is sent to the customer. If the
stock is not available, the order is passed to “production control” for manufacture
and then shipped to customer with the invoice.
· The process ends with the payment being received from customer.

Customer Order Fulfillment (Example)

II. Order to Cash

Following Fig. indicates the different sub processes within the main processes in the
Order to Cash cycle.
(i) Sales and Marketing (SM)
· Advertises and markets the company’s products and books sales orders from

: 19 :
(ii) Order Fulfillment
· Receives orders from SM.
· Checks inventory to establish availability of the product. If the product is
available in stock, transportation is arranged and the product is sent to the
(iii) Manufacturing
· If the product is not available in stock, this information is sent to the
manufacturing department so that the product is manufactured and subsequently
sent to the customer.

Sales and Marketing Services

Receive Check Arrange Send to

Orders Inventory Transportati Customer

Send info to Product

manufacturing manufactured

Close the
Create Send to Receive
Invoice for customer payments
the Orders

Order to Cash (Example)

(iv) Receivables
· The invoice is created, sent to the customer, payment received and the invoice

III Procure to Pay

The Purchase to Pay Process in following Fig. indicates the different processes
identified specifically to department/entity so that the responsibilities are clearly
defined. Let’s understand flow from the perspective of each department/entity.
(i) User Department
· A user in an enterprise may require some material or service. Based on the
need and justification, the user raises a Purchase Request (PR) to the
Procurement department.
(ii) Procurement Department (PD)
· PD receives the PR and prioritizes the request based on the need and
urgency of the user.
· It is then the responsibility of the PD to find the best source of supply, for
the specific material/service. PD will then request the potential vendors to
submit their quotes, based on which negotiations on price, quality and
payment terms, will take place.
· The Purchase Order (PO) will then be released to the selected vendor.
(iii) Vendor
· The vendor receives the PO and carries out his own internal checks.
· Matches the PO with the quotation sent and in the event of any discrepancy
will seek clarification from the enterprise.

: 20 :
· If there are no discrepancies, the vendor will raise an internal sales order
within the enterprise.
· The material is then shipped to the address indicated in the PO.
· The Vendor Invoice (VI) is sent to the Accounts Payable department, based
on the address indicated in the PO.
(iv) Stores
· Receives the material.
· Checks the quantity received with the PO and quality with the users. If there
is any discrepancy the vendor is immediately informed.
· The Goods Received Note (GRN) is prepared based on the actual receipt
of material and the stores stock updated. The GRN is then, sent to the
Accounts Payable department for processing the payment.
· A Material Issue Note is created and the material is sent to the concerned
(v) Accounts Payable (AP)
· AP will do a “3-way match” of PO/GRN/Invoice. This is to ensure that the
price, quantity and terms indicated in the Invoice matches with the PO and
the quantity received in the PO matches with the GRN quantity. This check
establishes that what has been ordered has been delivered.
· If there is no discrepancy, the payment voucher is prepared for payment
and the necessary approvals obtained.
· If there is a discrepancy, the Invoice is put “on hold” for further clarification
and subsequently processed.
· Finally, the payment is made to the vendor.

: 21 :

Procure to Pay (Example)

: 22 :

Business Processes - Risks and Controls

Suitable controls should be implemented to meet the requirements of the control objectives.
These controls can be manual, automated or semi-automated provided the risk is mitigated.
Based on the scenario, the controls can be Preventive, Detective or Corrective. In
computer systems, controls should be checked at three levels, namely Configuration,
Master & Transaction- level.

1. Configuration
Configuration refers to the way a software system is set up. Configuration is the
process of defining options that are provided. Configuration will define how software
will function and what menu options are displayed. When the any software is installed,
values for various parameters should be set up (configured) as per policies and
business process work flow and business process rules of the enterprise. The various
modules of the enterprise such as Purchase, Sales, Inventory, Finance, User Access
etc. have to be configured. Some examples of configuration are given below:
· Mapping of accounts to front end transactions like purchase and sales
· Control on parameters: Creation of Customer Type, Vendor Type, year-end
· User activation and deactivation
· User Access & privileges - Configuration & its management
· Password Management

2. Masters
· Masters refer to the way various parameters are set up for all modules of
software, like Purchase, Sales, Inventory, Finance etc. These drives how the
software will process relevant transactions.
· The masters are set up first time during installation and these are changed
whenever the business process rules or parameters are changed.
· Examples are Vendor Master, Customer Master, Material Master, Accounts
Master, Employee Master etc.
· Any changes to these data have to be authorised by appropriate personnel and
these are logged and captured in exception reports.
· The way masters are set up will drive the way software will process transactions
of that type. For example: The Customer Master will have the credit limit of the
customer. When an invoice is raised, the system will check against the approved
credit limit and if the amount invoiced is within the credit limit the invoice will be
created if not the invoice will be put on “credit hold” till proper approvals are
Some examples of masters are given here:
· Vendor Master: Credit period, vendor bank account details, etc.
· Customer Master: Credit limit, Bill to address, Ship to address, etc.
· Material Master: Material type, Material description, Unit of measure, etc.
· Employee Master: Employee name, designation, salary details, etc.

: 23 :
3. Transactions
Transactions refer to the actual transactions entered through menus and functions in
the application software, through which all transactions for specific modules are
initiated, authorized or approved. For example:
· Sales transactions
· Purchase transactions
· Stock transfer transactions
· Journal entries
· Payment transactions

Risk & Control objectives for various processes

Procure to Pay (P2P) - Risks and Controls

Procure to Pay (Purchase to Pay or P2P) is the process of obtaining and managing the
raw materials needed for manufacturing a product or providing a service.

Risks and Control Objectives (Masters-P2P)
Risk Control Objective
Unauthorized changes to supplier Only valid changes are made to the
master file. supplier master file.
All valid changes to the supplier master All valid changes to the supplier master
file are not input and processed. file are input and processed.
Changes to the supplier master file are Changes to the supplier master file are
not correct. accurate.
Changes to the supplier master file are Changes to the supplier master file are
delayed and not processed in a timely processed in a timely manner.
Supplier master file data is not up to Supplier master file data remain up to
date. date.
System access to maintain vendor System access to maintain vendor
masters has not been restricted to the masters has been restricted to the
authorized users. authorized users.

Risks and Control Objectives (Transactions-P2P)
Risk Control Objective
Unauthorized purchase requisitions are Purchase orders are placed only for
ordered. approved requisitions.
Purchase orders are not entered Purchase orders are accurately entered.
correctly in the system.
Purchase orders issued are not input All purchase orders issued are input and
and processed. processed.
Amounts posted to accounts payable Accounts payable amounts are accurately
are not properly calculated and calculated and recorded.
Amounts for goods or services received Amounts for goods or services received
are recorded in the wrong period. are recorded in the appropriate period.
Credit notes and other adjustments are Credit notes and other adjustments are
not accurately calculated and recorded. accurately calculated and recorded.
Credit notes and other adjustments are Credit notes and other adjustments are
recorded in the wrong period. recorded in the appropriate period.

: 24 :
Disbursements are made for goods and Disbursements are made only for goods
services that have not been received. and services received.
Disbursements are distributed to Disbursements are distributed to the
unauthorized suppliers. appropriate suppliers.
System access to process transactions System access to process transactions
has not been restricted to the has been restricted to the authorized
authorized users. users.

Order to Cash (02C) - Risks and Controls

Order to Cash (OTC or O2C) is a set of business processes that involve receiving and
fulfilling customer requests for goods or services. An order to cash cycle consists of multiple
sub-processes including:
1. Customer order is documented;
2. Order is fulfilled or service is scheduled;
3. Order is shipped to customer or service is performed;
4. Invoice is created and sent to customer;
5. Customer sends payment /Collection; and
6. Payment is recorded in general ledger.

Risks and Control Objectives (Masters-02C)
Risk Control Objective
The customer master file is not The customer master file is maintained
maintained properly and the information properly and the information is accurate.
is not accurate.
Invalid changes are made to the Only valid changes are made to the
customer master file. customer master file.
All valid changes to the customer master All valid changes to the customer master
file are not input and processed. file are input and processed.
Changes to the customer master file are Changes to the customer master file are
not accurate accurate.
Changes to the customer master file are Changes to the customer master file are
not processed in a timely manner. processed in a timely manner
Customer master file data is not up-to- Customer master file data is up to date and
date and relevant. relevant.
System access to maintain customer System access to maintain customer
masters has not been restricted to the masters has been restricted to the
authorized users. authorized users.

Risks and Control Objectives (Transactions-02C)
Risk Control Objective
Orders are processed exceeding Orders are processed only within
customer credit limits without approvals. approved customer credit limits.
Orders are not approved by Orders are approved by management as
management as to prices and terms of to prices and terms of sale.
Orders and cancellations of orders are Orders and cancellations of orders are
not input accurately. input accurately.

: 25 :
Order entry data are not transferred Order entry data are transferred
completely and’ accurately to the completely and accurately to the shipping
shipping and invoicing activities. and invoicing activities.
All orders received from customers are All orders received from customers are
not input and processed. input and processed.
Invalid & unauthorized orders are input Only valid & authorized orders are input
and processed. and processed.
Invoices are generated using Invoices are generated using authorized
unauthorized terms and prices. terms and prices.
Invoices are not accurately calculated Invoices are accurately calculated and
and recorded. recorded.
Invoices are not recorded in the system. All invoices issued are recorded.
Invoices are recorded in the wrong Invoices are recorded in the appropriate
period. period.
Cash receipts are not recorded in the Cash receipts are recorded in the period
period in which they are received. in which they are received.
Cash receipts data are not entered Cash receipts data are entered for
correctly. processing accurately.
Cash receipts are not entered in the All cash receipts data are entered for
system for processing. processing.

Inventory Cycle - Risks and Controls

The Inventory Cycle is a process of accurately tracking the on-hand inventory levels for an
enterprise. An inventory system should maintain accurate record of all stock movements to
calculate the correct balance of inventory. The typical phases of the Inventory Cycle for
Manufacturers are as follows:
1. The ordering phase: The amount of time it takes to order and receive raw materials.
2. The production phase: The work in progress phase relates to time it takes to convert
the raw material to finished goods ready for use by customer.
3. The finished goods and delivery phase: The finished goods that remain in stock
and the delivery time to the customer. The inventory cycle is measured in number of

Risks and Control Objectives (Masters-Inventory)
Risk Control Objective
Invalid changes are made to the Only valid changes are made to the
inventory management master file. inventory management master file.

Invalid changes to the inventory All valid changes to the inventory

management master file are input and management master file are input and
processed. processed.
Changes to the inventory management Changes to the inventory management
master file are not accurate. master file are accurate.
Inventory management master file data Inventory management master file data
is not up to date. remain up to date.
System access to maintain inventory System access to maintain inventory
masters has not been restricted to the masters has been restricted to the
authorized users. authorized users.

: 26 :
Risks and Control Objectives (Transactions-Inventory)
Risk Control Objective
Raw materials are received and Raw materials are received and accepted
accepted without valid purchase orders. only if they have valid purchase orders.
Raw materials received are not Raw materials received are recorded
recorded accurately. accurately.
Raw materials received are not All raw materials received are recorded.
recorded in system.
Defective raw materials are not Defective raw materials are returned
returned promptly to suppliers. promptly to suppliers.
Transfers of raw materials to production All transfers of raw materials to production
are not recorded accurately and are not are recorded accurately and in the
in the appropriate period. appropriate period.
Transfers of completed units of All transfers of completed units of
production to finished goods inventory production to finished goods inventory are
are not recorded completely and recorded completely and accurately in the
accurately and are posted in an appropriate period.
inappropriate period.
Finished goods returned by customers Finished goods returned by customers are
are not recorded completely and recorded completely and accurately in the
accurately and are posted in an appropriate period.
inappropriate period.
Shipments are not recorded in the All shipments are recorded.
Shipments are not recorded accurately. Shipments are recorded accurately.
Costs of shipped inventory are not Costs of shipped inventory are accurately
accurately recorded. recorded.
System access to process inventory System access to process inventory
related [transactions has not been related transactions has been restricted to
restricted to the authorized users. the authorized users.
21. Give two examples each of the Risks and Control Objectives for the following
business processes:
· Procure to Pay
· Order to Cash
· Inventory Cycle

Human Resources - Risks and Controls

The Human Resources life cycle refers to human resources management and covers all
the stages of an employee’s time within a specific enterprise and the role the human
resources department plays at each stage. Typical stage of HR cycle includes the following:
1. Recruiting and On boarding: Recruiting is the process of hiring a new employee.
The role of the human resources department in this stage is to assist in hiring. This
might include placing the job ads, selecting candidates whose resumes look
promising, conducting employment interviews and administering assessments such as
personality profiles to choose the best applicant for the position.
2. Orientation and Career Planning: Orientation is the process by which the employee
becomes a member of the company’s work force through learning her new job duties,
establishing relationships with co-workers and supervisors and developing a niche.
Career planning is the stage at which the employee and her supervisors work out her
long-term career goals with the company.

: 27 :
3. Career Development: Career development opportunities are essential to keep an
employee engaged with the company over time. This can include professional growth
and training to prepare the employee for more responsible positions with the company.
4. Termination or Transition: Some employees will leave a company through
retirement after a long and successful career. Others will choose to move on to other
opportunities or be laid off. The role of HR in this process is to manage the transition
by ensuring that all policies and procedures are followed, carrying out an exit interview
if that is company policy and removing the employee from the system.

Risks and Control Objectives (Configuration-Human Resources)
Risk Control Objective
Employees who have left the company System access to be immediately
continue to have system access. removed when employees leave the
Employees have system access in Employees should be given system
excess of their job requirements. access based on a “need to know” basis
and to perform their job function.

Risks and Control Objectives (Masters-Human Resources)
Risk Control Objective
Additions to the payroll master files do Additions to the payroll master files
not represent valid employees. represent valid employees.
New employees are not added to the All new employees are added to the
payroll master files. payroll master files.
Terminated employees are not removed Terminated employees are removed from
from the payroll master files. the payroll master files.
Deletions from the payroll master files do Deletions from the payroll master files
not represent valid terminations. represent valid terminations.
Invalid changes are made to the payroll Only valid changes are made to the
master files. payroll master files.
Payroll master file data is not up to date. Payroll master file data remain up to
Payroll is disbursed to inappropriate Payroll is disbursed to appropriate
employees. employees.
System access to process employee System access to process employee
master changes has not been restricted master changes has been restricted to
to the authorized users. the authorized users.

Fixed Assets - Risks and Controls

Fixed Assets process ensures that all the fixed assets of the enterprise are tracked for the
purposes of financial accounting, preventive maintenance, and theft deterrence. Fixed
assets process ensures that all fixed assets are tracked and fixed asset record maintains
details of location, quantity, condition, maintenance and depreciation status.
Typical steps of fixed assets process are as follows:
1. Procuring an asset: An asset is most often entered into the accounting system; when
the invoice for the asset is entered; into the accounts payable; or purchasing module
of the system.

: 28 :
2. Registering or Adding an asset: Most of the information needed to set up the asset
for depreciation is available at the time the invoice is entered. Information entered at
this stage could include; acquisition date, placed-in-service date, description, asset
type, cost basis, depreciable basis etc.
3. Adjusting the Assets: Adjustments to existing asset information is often needed to
be made. Events may occur that can change the depreciable basis of an asset.
Further, there may be improvements or repairs made to asset that either adds value to
the asset or extend its economic life.
4. Transferring the Assets: A fixed asset maybe sold or transferred to another
subsidiary, reporting entity, or department within the company. These may result in
changes that impact the asset’s depreciable basis, depreciation, or other asset data.
This needs to be reflected accurately in the fixed assets management system.
5. Depreciating the Assets: Depreciation is an expense which should be periodically
accounted on a company’s books, and allocated to the accounting periods, to match
income and expenses.
6. Disposing the Assets: When a fixed asset is, no longer in use, becomes obsolete, is
beyond repair, the asset is typically disposed. Any difference between the book value,
and realized value, is reported as a gain or loss.

Risks and Control Objectives (Masters-Fixed Assets)
Risk Control Objective
Invalid changes are made to the fixed Only valid changes are made to the fixed
asset register and/or master file. asset register and/or master file.
Valid changes to the fixed asset register All valid changes to the fixed asset
and/ or master file are not input and register and/or master file are input and
processed. processed.
Changes to the fixed asset register Changes to the fixed asset register and/or
and/or master file are not accurate. master file are accurate.
Changes to the fixed asset register Changes to the fixed asset register and/or
and/or master file are not promptly master file are promptly processed.
Fixed asset register and/or master file Fixed asset register and/or master file
data are not kept up to date. data remain up to date.
System access to fixed asset master System access to fixed asset master file /
file / system configuration is not system configuration is restricted to the
restricted to the authorized users. authorized users.

Risks and Control Objectives (Transactions-Fixed Assets)
Risk Control Objective
Fixed asset acquisitions are not Fixed asset acquisitions are accurately
accurately recorded. recorded.
Fixed asset acquisitions are not recorded Fixed asset acquisitions are recorded in
in the appropriate period. the appropriate period.
Fixed asset acquisitions are not recorded. All fixed asset acquisitions are recorded.
Depreciation charges are not accurately Depreciation charges are accurately
calculated and recorded. calculated and recorded.
Depreciation charges are not recorded in All depreciation-charges are recorded in
the appropriate period. the appropriate period.

: 29 :
Fixed asset disposals/transfers are not All fixed asset disposals/transfers are
recorded. recorded.
Fixed asset disposals/transfers are not Fixed asset disposals/transfers are
accurately calculated and recorded. accurately calculated and recorded.
Fixed asset disposals/transfers are not Fixed asset disposals/transfers are
recorded in the appropriate period. recorded in the appropriate period.
System access to process fixed asset System access to process fixed asset
transactions has not been restricted to the transactions has been restricted to the
authorized users. authorized users.

General Ledger - Risks and Controls

General Ledger (GL) process refers to the process of recording the transactions in the
system to finally generating the reports from financial transactions entered in the system.
The input for GL Process Flow is the financial transactions and the outputs are various
types of financial reports such as balance sheet, profit and loss a/c, funds flow statement,
ratio analysis, etc.
The typical steps in general ledger process flow are as follows:
1. Entering financial transactions into the system
2. Reviewing Transactions
3. Approving Transactions
4. Posting of Transactions
5. Generating Financial Reports

Risks and Control Objectives (Configuration-General Ledger)
Risk Control Objective
Unauthorized general ledger entries could Access to general ledger entries is
be passed appropriate and authorized.
System functionality does not exist to System functionality exists to segregate
segregate the posting and approval the posting and approval functions.
Systems do not generate reports of all Systems generate reports of all recurring
recurring and non recurring journal entries and nonrecurring journal entries for review
for review by management for accuracy. by management for accuracy.
Non standard journal entries are not All non standard journal entries are
tracked and are inappropriate. tracked and are appropriate.
System controls are not in place for System controls are in place for
appropriate approval of write-offs. appropriate approval of write-offs.
Transactions can be recorded outside of Transactions cannot be recorded outside
financial close cutoff requirements. of financial close cutoff requirements.
The sources of all entries are not readily The sources of ail- entries are readily
identifiable. identifiable
Transactions are not rejected, accepted Transactions are rejected, or accepted
and identified, on exception reports in the and identified, on exception reports in the
event of data exceptions. event of data exceptions.
Adding to or deleting general ledger Adding to or deleting general ledger
accounts is not limited to authorized accounts is limited to authorized
accounting department personnel. accounting department personnel.

: 30 :
Risks and Control Objectives (Masters-General Ledger)
Risk Control Objective
General ledger master file change reports General ledger master file change reports
are not generated by the system and are are generated by the system and reviewed
not reviewed as necessary by an individual as necessary by an individual who does
who does not input the changes. not input the changes.
A standard chart of accounts has not been A standard chart of accounts has been
approved by management and is not approved by management and is not
utilized within all entities of the corporation utilized within all entities of the corporation

Risks and Control Objectives (Transactions-General Ledger)
Risk Control Objective
General ledger balances are not reconciled General ledger balances reconcile to sub
to sub ledger balances and such ledger balances and such reconciliation are
reconciliation are not reviewed for accuracy reviewed for accuracy and approved by
and not approved by supervisory supervisory personnel.
Interrelated balance sheets and income Interrelated balance sheets and income
statement accounts do not undergo statement: accounts undergo automated
automated reconciliation to confirm reconciliation to confirm accuracy of such
accuracy of such accounts. accounts.
Account codes and transaction amounts Account codes and transaction amounts
are not accurate and not complete, and are accurate and complete, with exceptions
exceptions are not reported. reported.
A report of all journal entries completed as A report of all journal entries completed as
part of the closing process is not reviewed part of the closing process is reviewed by
by management to confirm the management to confirm the completeness
completeness and appropriateness of all and appropriateness of all recorded
recorded entries. entries.
Entries booked in the close process are not Entries booked in the close process are
complete and accurate. complete and accurate.


The core to any enterprise’s success is to have an efficient and effective financial
information system to support decision-making and monitoring. The risks, controls and
security of such systems should be clearly understood in order to pass an objective opinion
about the adequacy of control in an IT environment.

22. Explain the salient features of Section 134 & Section 143 of the Companies Act 2013.

The Companies Act, 2013

The Companies Act, 2013 has two very important Sections - Section 134 and Section 143,
which have a direct impact on the audit and accounting profession.
(i) Section 134
Section 134 of the Companies Act, 2013 on “Financial statement, Board’s report,
etc.” states inter alia:

: 31 :
The Directors’ Responsibility Statement referred to in clause (c) of sub-section (3)
shall state that:
the Directors had taken proper and sufficient care for the maintenance of adequate
accounting records in accordance with the provisions of this Act for safeguarding the
assets of the company and for preventing and detecting fraud and other irregularities;
the directors, in the case of a listed company, had laid down internal financial controls
to be followed by the company and that such internal financial controls are
adequate and were operating effectively.
Explanation: For the purposes of this clause, the term “internal financial controls”
means the policies and procedures adopted by the company for ensuring the orderly
and efficient conduct of its business, including adherence to company’s policies, the
safeguarding of its assets, the prevention and detection of frauds and errors, the
accuracy and completeness of the accounting records, and the timely preparation of
reliable financial information the directors had devised proper systems to ensure
compliance with the provisions of all applicable laws and that such systems were
adequate and operating effectively.

(ii) Section 143

Section 143, of the Companies Act 2013, on “Powers and duties of auditors and
auditing standards” states inter alia:
Section 143(3) contains the auditor’s report which states:
“whether the company has adequate internal financial controls system in place and the
operating effectiveness of such controls”;
When we talk in terms of “adequacy and effectiveness of controls”; it refers to the
adequacy of the control design and whether the control has been working effectively
during the relevant financial year. The impact of this statement is that it involves
continuous control monitoring during the year and not a review “as at” a particular
For example, let us assume that a company has a sales invoicing control wherein all
sales invoices raised by the salesman which is greater that Rs.50,000/- are reviewed
and approved by the sales manager. In terms of the of the control design this control
may seem adequate. However, if during audit, it was found that, during the year, there
were many invoices raised by the salesman which was greater than Rs. 50,000/- and
not reviewed and approved by the sale’s manager. In such a case, although the
control design was adequate, the control was not working effectively, due to many
exceptions without proper approval.
As per ICAI’s “Guidance Note on Audit of Internal Financial Controls over
Financial Reporting”:
Clause (i) of Sub-section 3 of Section 143 of the Companies Act, 2013 (“the 2013 Act”
or “the Act”) requires the auditors’ report to state whether the company has adequate
internal financial controls system in place and the operating effectiveness of such
I. Management’s Responsibility
The 2013 Act has significantly expanded the scope of internal controls to be
considered by the management of companies to cover all aspects of the operations of
the company. Clause (e) of Sub-section 5 of Section 134 to the Act requires the
directors’ responsibility statement to state that the directors, in the case of a listed
company, had laid down internal financial controls to be followed by the company and
that such internal financial controls are adequate and were operating effectively.
Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the Board of
Directors’ report of all companies to state the details in respect of adequacy of internal
financial controls with reference to the financial statements.

: 32 :
The inclusion of the matters relating to internal financial controls in the directors’
responsibility statement is in addition to the requirement for the directors to state that
they have taken proper and sufficient care for the maintenance of adequate
accounting records in accordance with the provisions of the 2013 Act, for safeguarding
he assets of the company and for preventing and detecting fraud and other

II. Auditors’ Responsibility

The auditor’s objective in an audit of internal financial controls over financial reporting
is to express an opinion on the effectiveness of the company’s internal financial
controls over financial reporting and the procedures in respect thereof are carried out
along with an audit of the financial statements. Because a company’s internal controls
cannot be considered effective if one or more material weakness exists, to form a
basis for expressing an opinion, the auditor should plan and perform the audit to
obtain sufficient appropriate evidence to obtain reasonable assurance about whether
material weakness exists as of the date specified in management’s assessment. A
material weakness in internal financial controls may exist even when the financial
statements are not materially misstated.

III. Corporate Governance Requirements

Corporate Governance is the framework of rules and practices by which a board of
directors ensures accountability, fairness, and transparency in a company’s
relationship with its all stakeholders (financiers, customers, management, employees,
government, and the community).
The corporate governance framework consists of:
(i) Explicit and implicit contracts between the company and the stakeholders for
distribution of responsibilities, rights, and rewards
(ii) Procedures for reconciling the sometimes-conflicting interests of stakeholders in
accordance with their duties, privileges, and roles, and
(iii) Procedures for proper supervision, control, and information-flows to serve as a
system of checks-and-balances.

IV. Enterprise Risk Management’s Framework

As discussed in the previous section of the chapter, Enterprise Risk Management
(ERM) in business includes the methods and processes used by organizations to
manage risks and seize opportunities related to the achievement of their objectives.
As shown in the Fig. ERM provides a framework for risk management, which typically
involves identifying particular events or circumstances relevant to the organization’s
objectives (risks and opportunities), assessing them in terms of likelihood and
magnitude of impact, determining a response strategy, and monitoring progress. By
identifying and pro-actively addressing risks and opportunities, business enterprises
protect and create value for their stakeholders, including owners, employees,
customers, regulators, and society overall.

: 33 :
Risk Identification

Risk Assessment Risk Analysis

Risk Prioritization
Risk Reduction

Risk Mitigation / Control Risk Planning

Risk Monitoring

Fig. Framework Provided by ERM

Management selects a risk response strategy for specific risks identified and analysed,
which may include:
(i) Avoidance: Not doing an activity which causes risk.
(ii) Reduction: taking action to reduce the likelihood or impact related to the risk.
(iii) Alternative Actions: deciding and considering other feasible steps to minimize risks.
(iv) Share or Insure: transferring or sharing a portion of the risk, to finance it.
(v) Accept: no action is taken, due to a cost/benefit decision.

Information Technology Act (IT Act)

This Act aims to provide the legal infrastructure for e-commerce in India. And the cyber laws
have a major impact for e-businesses and the new economy in India. So, it is important to
understand what are the various perspectives of the IT Act, 2000 (as amended in 2008) and
what it offers.
The Act also aims to provide for the legal framework so that legal sanctity is accorded to all
electronic records and other activities carried out by electronic means. The Act states that
unless otherwise agreed, an acceptance of contract may be expressed by electronic means
of communication and the same shall have legal validity and enforceability.

I. Advantages of Cyber Laws

The IT Act 2000 attempts to change outdated laws and provides ways to deal with
cyber-crimes. We need such laws so that people can perform purchase transactions
over the Net without fear of misuse. The Act offers the much-needed legal framework
so that information is not denied legal effect, validity or enforceability, solely on the
ground that it is in the form of electronic records.
In view of the growth in transactions and communications carried out through
electronic records, the Act seeks to empower government departments to accept filing,
creating and retention of official documents in the digital format. The Act has also
proposed a legal framework for the authentication and origin of electronic records/
communications through digital signature.
From the perspective of e-commerce in India, the IT Act 2000 and its provisions
contain many positive aspects which are as follows:
· The implications for the e-businesses would be that email would now be-a valid
and legal form of communication in India that can be duly produced and
approved in a court of law.
· Companies shall now be able to carry out electronic commerce using the legal
infrastructure provided by the Act.
· Digital signatures have been given legal validity and sanction in the Act.

: 34 :
· The Act throws open the doors for the entry of corporate companies in the
business of being Certifying Authorities for issuing Digital Signatures Certificates.
· The Act now allows Government to issue notification on the web thus heralding
· The Act enables the companies to file any form, application or any other
document with any office, authority, body or agency owned or controlled by the
appropriate Government in electronic form by means of such electronic form as
may be prescribed by the appropriate Government.
· The IT Act also addresses the important issues of security, which are so critical
to the success of electronic transactions.
· The Act has given a legal definition to the concept of secure digital signatures
that would be required to have been passed through a system of a security
procedure, as stipulated by the Government at a later date.
Under the IT Act, 2000, it shall now be possible for corporates to have a statutory
remedy in case if anyone breaks into their computer systems or network and causes
damages or copies data. The remedy provided by the Act is in the form of monetary
damages, not exceeding Rs. 1 crore.

II. Computer Related Offences

23 Give five examples of computer related offences that can be prosecuted under
the IT Act 2000 (amended via 2008)
Common Cyber-crime scenarios : Let us look at some common cyber-crime
scenarios which can attract prosecution as per the penalties and offences prescribed
in IT Act 2000 (amended via 2008) Act.
· Harassment via fake public profile on social networking site : A fake profile
of a person is created on a social networking site with the correct address,
residential information or contact details but he/she is labelled as a person of
’loose character’. This leads to harassment of the victim.
· Email Account Hacking : If victim’s email account is hacked and obscene
emails are sent to people in victim’s address book.
· Credit Card Fraud : Unsuspecting victims would use infected computers to
make online transactions.
· Web Defacement : The homepage of a website is replaced with a defamatory
page. Government sites generally face the wrath of hackers on symbolic days.
· Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs : All of the
above are some sort of malicious programs which are used to destroy or gain
access to some electronic information.
· Cyber Terrorism : Many terrorists use virtual (Drive, FTP sites) and physical
storage media (USB’s, hard drives) for hiding information and records of their
illicit business.
· Online sale of illegal Articles : Where sale of narcotics drugs, weapons and
wildlife is facilitated by the Internet
· Phishing and Email Scams : Phishing involves fraudulently acquiring sensitive
information through masquerading a site as a trusted entity (e.g. Passwords,
credit card information).
· Theft of Confidential Information : Many business organizations store their
confidential information in computer systems. This information is targeted by
rivals, criminals and disgruntled employees.

: 35 :
III. Privacy
The main principles on data protection and privacy enumerated under the IT Act, 2000
· defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’,
‘addressee’ etc.
· creating civil liability if any person accesses or secures access to computer,
computer system or computer network
· creating criminal liability if any person accesses or secures access to computer,
computer system or computer network
· declaring any computer, computer system or computer network as a protected
· imposing penalty for breach of confidentiality and privacy
· setting up of hierarchy of regulatory authorities, namely adjudicating officers, the
Cyber Regulations Appellate Tribunal etc.

Example - Privacy Policy

A sample privacy policy is given below which highlights key aspects of how and what type
of information is collected from the customer, how it is used and secured and
options for user providing the information.:
“At ABC Ltd., we take your privacy very seriously. Because of this, we want to provide
you with explicit information on how we collect, gather, and identify information during
your visit to our site. This information may be expanded or updated as we change or
develop our site. For this reason, we recommend that you review this policy from time-
to-time to see if anything has changed. Your continued use of our site signifies your
acceptance of our privacy policy.
Personally, identifiable information refers to information that tells us specifically who
you are, such as your name, phone number, email or postal address. In many cases,
we need this information to provide the personalized or enhanced service that you
have requested. The amount of personally identifiable information that you choose to
disclose to ABC Ltd is completely up to you. The only way we know something about
you personally is if you provide it to us in conjunction with one of our services.

What information do we collect and how do we use it?

· ABC Ltd. Collects information on our users by your voluntary submissions (e.g.,
when you sign up for a white paper or request product information). We also
collect, store and accumulate certain non-personally identifiable information
concerning your use of this, web site, such as which of our pages are most visited.
· The information ABC Ltd. collects is used in a variety of ways: for internal review;
to improve the content of the site, thus making your user experience more
valuable; and to let you know about products and services of interest.
· If you have provided us your email address, ABC Ltd. Periodically sends promotional
emails about products offered by us. If you do not wish to receive email information
from ABC Ltd. please let us know by emailing us.
· ABC Ltd. does not sell, rent, or give away your personal information to third
parties. By using our web site, you provide consent to the collection and use of
the information described in this by Privacy Policy of ABC Ltd.”

: 36 :
IV. Cyber crime
The term ‘Cyber Crime’ finds no mention either in The Information Technology Act
or in any legislation of the Country. Cyber Crime is not different than the traditional
crime. The only difference is that in Cyber Crime the computer technology is involved.
This can be explained by the following instance:
· Traditional Theft: ‘A’ thief enters in B’s house and steals an object kept in the
· Hacking: ‘A’ Cyber Criminal sitting in his own house, through his computer hacks
the computer of ‘B’ and steals the data saved in B’s computer without physically
touching the computer or entering in B’s house. Hence Cyber Crime is a
Computer related crime.
The IT Act, 2000 defines the terms access in computer network in section 2(a),
computer in section 2(i), computer network in section (2j), data in section 2(o) and
information in section 2(v). These are all the necessary ingredients that are useful to
technically understand the concept of Cyber Crime.

2(a) “Access” with its grammatical variations and cognate expressions means gaining
entry into, instructing or communicating with the logical, arithmetical, or memory
function resources of a computer, computer system or computer network;
(i) “Computer” means any electronic, magnetic, optical or other high-speed data
processing device or system which performs logical, arithmetic, and memory
functions by manipulations of electronic, magnetic or optical impulses, and
includes all input, output, processing, storage, computer software, or
communication facilities which are connected or related to the computer in a
computer system or computer network;

2(j) “Computer Network” means the interconnection of one or more Computers or

Computer systems or Communication device through-
(i) the use of satellite, microwave, terrestrial line, wire, wireless or other
communication media; and
(ii) terminals or a complex consisting of two or more interconnected computers or
communication device whether or not the interconnection is continuously

2(o) “Data” means a representation of information, knowledge, facts, concepts or

instructions which are being prepared or have been prepared in a formalized manner,
and is intended to be processed, is being processed or has been processed in a
computer system or computer network and may be in any form (including computer
printouts magnetic or optical storage media, punched cards, punched tapes) or stored
internally in the memory of the computer;

2(v) “Information” includes data, message, text, images, sound, voice, codes, computer
programmes, software and databases or micro film or computer generated micro fiche;

V. Sensitive Personal Data Information (SPDI)

Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information Rules 2011 formed under section 43A of the Information Technology Act
2000 define a data protection framework for the processing of digital data by Body

: 37 :
Scope of Rules: Currently the Rules apply to Body Corporate and digital data. As per
the IT Act, Body Corporate is defined as “Any company and includes a firm, sole
proprietorship or other association of individuals engaged in commercial or
professional activities.”
Definition of Personal and Sensitive Personal data: Rule 2(i) defines personal
information as “information that relates to a natural person which either directly or
indirectly, or combination with other information available or likely to be available with
a body corporate, is capable of identifying such person.”
Rule 3 defines sensitive personal information as:
· Passwords
· Financial information
· Physical/physiological/mental health condition
· Medical records and history; and
· Biometric information
Consent: Rule 5(1) requires that Body Corporate should, prior to collection, obtain consent
in writing through letter or fax or email from the provider of sensitive personal data regarding
the use of that data.
In a context where services are delivered with little or no human interaction, data is
collected through sensors, data is collected on a real time and regular basis, and data is
used and re-used for multiple and differing purposes - it is not practical, and often not
possible, for consent to be obtained through writing, letter, fax,, or email for each instance of
data collection and for each use.

: 38 :
Q.1 Draw a flowchart to compute simple interest

Q.2 Draw a flowchart to calculate discount on sales , where discount is 5 % of sales

Output needs name also & PAN also.

Q.3 Draw a flowchart to draw & print discounted amount , where Discount is 5 %

Q.4 Draw a flowchart to calculate & print discounted amount , discount rate is 20 % , if sale
is < 10,000 Or else 30 %

Q.5 Draw a flowchart to calculate Simple Interest, if rate of interest for Indians 10 % and
For others 20 %

Q.6 The goods imported from the foreign countries are classified into four categories for
the purpose of levying custom duty. The rate of custom duty of value of goods for each
category is given below:

1. Electronic items 10

2. Heavy machinery 15

3. Footwear items 20

4. All Other Uncategorized items 25

Draw a flow chart to compute appropriate custom duty including educational cess at
the rate of 3% of the value of custom duty

Q 7 Draw a flowchart to compute

Total Bill where rate of

Cycle is as follows
Model 1 10 Rs per day
Model 2 20 Rs per day
Model 3 30 Rs per day
Where deposit is 25

Q. 8. Draw a Flowchart to compute and print income tax, surcharge and education cess on
the income of a person, where income is to be read from terminal and tax is to be
calculated as per the following rates:

Slab(Rs) Rate
(1) 1 to 1,00,000 No Tax
(2) 1,00,001 to 1,50,000 @10% amt above 1,00,000
(3) 1,50,001 to 2,50,000 Rs 5000 + 20% of amt above 1,50,000
(4) 2,50,001 onwards Rs 25,000 + 30% of Amt above 2,50,000

Surcharge @10% on the amount of total tax, if income of a person exceeds

Rs.10,00,000 Education cess 2% on the total tax.

: 39 :

Q. 9. Draw flow chart to compute and print income-tax and surcharge on the income of the
individual, the income is to be read from terminal and tax is to be calculated as per the
following rates:

Income(in RS.) Rate

Up to 50,000 No tax

From50,001 to 60,000 @10% of amount above Rs. 50,000

From 60,001 to 1,50,000 1000+20%of amount above Rs. 60,000

Above Rs. 1,50,000 Rs.19,000+30%of amount above Rs.1,50,000

charge surcharge @5% on the amount of total tax, if the income of a person
exceeds Rs.60,000

Q.10.(I) Input name & basic salary for 100 employees.

Each employee contributes 10 % of basic salary towards provident fund. Find

and print the name , P.F. contribution made by each employee.

(II) Also print the total contribution of all employees

Q.11.Draw a flowchart to calculate Simple Interest of 50 customers & calculate total simple
interest of 50 customers

Q.12.A book publisher offers discount to customers on the basis of customer type and
number of copies ordered as shown below

Customer type Book Seller

Number of Copies Ordered % of discount
More than 10 25
Less than or equal to 10 15
More than 5 20
Less than or equal to 5 10

Customer number , name , type , book number , number of copies ordered and unit
price are given as input . Draw a flow chart to calculate the net amount of the bill for
each customer and print it . The above is to be carried out for 50 customers.

Q.13.An electric supply company charges the following rates from its consumers No. of Unit
consumed Charges/unit
For the first 200 units 2.50
For the next 300 units 3.50
Over 500 units 5.00

: 40 :
Computer database of the company has the following information :
1) Consumer name
2) Address
3) Unit consumed
4) Bill Date
5) Payment date
if the consumer pays his bill within 15 days from the bill date,10 % discount is given.

If he makes the payment after 15 days from the bill date,5 % surcharge is levied .
Draw a flow chart to calculate the net amount of the bill for each consumer and print it.

Q.14.An electricity distribution company has three categories of consumers namely

(i) Domestic
(ii) Commercial
(iii) Industry
The charges of electricity per unit consumed by these consumers are Rs.3, Rs.4 and
Rs.5 respectively. The computer Database of the company has the following

Consumers Category Units consumed Bill

date Date of payment

The company processes bills according to the following criterion. If the consumer is
domestic and pays bill within 10 days of the bill date 5% discount is given. If he pays
the bill within 15 days, no discount is given. If he makes the payment after 15 days of
the bill date, 10% surcharge is levied.

For the non-domestic consumers(commercial or industry), corresponding percentages

be 10%, 0% and 15% respectively draw a flow chart to calculate the bill amount,
discount, surcharge and net amount of the bill for each type of consumer and print it.

Q.15. An electric supply company charges the following rates from its consumers

No. of Unit consumed Charges/unit

For the first 200 units 2.50
For the next 300 units 3.50
Over 500 units 5.00

Surcharge @ 20 % of total bill is to be added to the charges to the bill .

Draw a flowchart to read the consumer no & no of units consumed & print out Total
charges with customer number & units consumed

Q.16.A bicycle shop in a city hires bicycles by the day at different rates for different models
as below

Model no Hire rate per day(Rs.)

Model No.1 14.00
Model No.2 12.00
Model No.3 10.00

: 41 :
In order to attract customers , the shopkeeper gives a discount on the number of days
a bicycle is hired for .The policy of discount is as given below

No.of days Discount Rate(%)

1-5 0.00
6-10 8
11 and over 15

For every bicycle hired a deposit of Rs.30.00 must be paid. Develop a flow chart to
print out details for each customer such as name of the customer, bicycle model
number, number of days a bicycle is hired for, hire charges , discount and total

Q.17. A Housing Society in a newly developed Smart City has provided several advanced
security systems to each house in that city. Based on the value of these advanced
security systems installed in each house, the Society has divided all the houses in four
categories and fixed the criteria for annual maintenance charges as under:

House Category Maintenance charges as % of value of

advanced security systems installed at house
A 8%
B 6%
C 4%
D 3%

In addition to above there is a service tax @ 12.36% on the amount of maintenance

charges. Considering house number and value of advanced security system installed,
as input, draw a flow chart to have printed output as house number, maintenance
charges, service tax and the total amount to be paid by each house owner.

Q 18.ABC Limited is a software development company, which appointed 50 software

engineers in August’ 2014 at a monthly salary of ` 30,000. All these engineers shall be
entitled for an increment in their monthly salary after six months. The increment on
present monthly salary shall be based on their performance to be evaluated on a 100
marks scale as per detains given below:

- Performance Marks < 70, then increment shall be 10% of present salary.

- 70 ≤ Performance marks < 80, then increment shall be 20% of present salary.

- Performance marks ≥ 80, then increment shall be 30% of present salary.

Draw a Flow-Chart to enable to print the details like name of the engineer,
performance marks, monthly increment amount and revised monthly salary for
each of these 50 engineers.

: 42 :



· Integrated & Non Integrated System

· Business Process Modules and Their Integration with Financial & Accounting

· Business Process Modules and Their Integration with Financial & Accounting

· Data Analytics and Business Intelligence

· Business Reporting and Fundamental XBRL

· Applicable Regulatory and Compliance Requirements

: 43 :
1 What is a System?
· The system is a set of interrelated & interdependent elements or components that
operate together to accomplish common objectives by taking inputs and producing
outputs in an organized manner.
· All systems generally have –
§ Inputs, Outputs and feedback mechanisms,
§ Systems have number of interrelated & interdependent sub-system. No sub-
systems can function in isolation. It depends on other sub-systems for inputs.
§ If one sub-system / component fails, in most of the cases the whole system
doesn’t work.

2 What is a Business Process?

· In the systems engineering arena, a Process is defined as a sequence of events that
uses inputs to produce outputs.
· This is a broad definition and can include sequences as mechanical as reading a file
and transforming the file to a desired output format; to taking a customer order,
filling that order, and issuing the customer invoice.
· From a business perspective, a Process is a coordinated and standardized flow of
activities performed by people or machines, which can overcome functional or
departmental boundaries to achieve a business objective and creates value for
internal or external customers.
· Organizations have many different business processes such as completing a sale,
purchasing raw materials, paying employees or vendors, maintain accounts etc.
· Each of the business processes has either direct or indirect effect on the financial
status of the organization.

Concepts in Computerized Accounting Systems

3. Explain the types of data used in Financial & Accounting system

Every accounting systems stores data in two ways: Master Data and Non-Master Data (or
Transaction Data) as shown.

: 44 :
1) Master Data:
· Master data is relatively permanent data that is not expected to change again
and again frequently.
· Master data is generally not typed by the user but it is created by Database
· On the basis of Master data, user incorporates transaction data into the system.
· All business process modules must use common master data.
· Master data is selected from the available list of masters (e.g. Ledgers) to
maintain standardization as we need to collect all the transactions relating to
one master data at one place for reporting.
· While inputting the information, user is forced to select master data from the
available list just to avoid confusion while preparing reports. For example -
same ledger name may be written differently.

In accounting systems, there may be following type of master data,

a. Accounting Master Data:
· This includes names of ledgers, groups cost centers, accounting voucher types,
· E.g. Capital Ledger, sales, purchase, expenses and income ledgers are created
once and not expected to change frequently.

b. Inventory Master Data:

· This includes stock items, stock groups, godowns, inventory voucher types, etc.

c. Payroll Master Data:

· Payroll is a system for calculation of salary and recoding of transactions relating
to employees. Master data in case of payroll can be names of employees, group
of employees, salary structure, pay heads, etc.
· These data are not expected to change frequently. E.g. Employee created in the
system will remain as it is for a longer period of time, his/her salary structure
may change but not frequently.

d. Statutory Master Data:

· This is a master data relating to statute/law. It may be different for different
type of taxes.
· E.g. Goods and Service Tax (GST), Headings of Income, Tax rate, Nature of
Payments for Tax Deducted at Source (TDS), etc.

: 45 :
2) Non-Master Data:
· It is a data which is expected to change frequently, again and again and not a
permanent data.
· Non-master data is typed by the user and not selected from available list as it is
a non-permanent and it keeps on changing again and again.
· E.g. Amounts recorded in each transaction shall be different every time and
expected to change again and again. Date recorded in each transaction is
expected to change again and again and will not be constant in all the

4. Explain types of vouchers used in accounting system

· Voucher is a documentary evidence of a transaction. There may be different

documentary evidences for different types of transactions. E.g. Receipt given to
a customer after making payment by him/her is documentary evidence of
amount received.
· A sales invoice, a purchase invoice, is also a documentary evidence of
· Voucher is a place where transactions are recorded. It is a data input form for
inputting transaction data.
Voucher Types
Voucher Type
Sr.No. Module Use
1 Contra Accounting For recording of four types of transactions as
a. Cash deposit in bank
b. Cash withdrawal from bank
c. Cash transfer from one location to another.
d. Fund transfer from our one bank account
to our own another bank account.
2 Payment Accounting For recording of all types of payments.
Whenever the money is going out of business
by any mode (cash/bank)
3 Receipt Accounting For recording of all types of receipts. Whenever
money is being received into business from
4 Journal Accounting For recording of all non-cash/bank
transactions, E.g. Depreciation, Provision,
Write-off, Write-back, discount given/received,
Purchase / Sale of fixed assets on credit, etc.

: 46 :
5 Sales Accounting For recording all types of trading sales by any
mode (cash/bank/credit).
6 Purchase Accounting For recording all types of trading purchase by
any mode (cash/bank/credit).
7 Credit Note Accounting For making changes/corrections in already
recorded sales/purchase transactions.
8 Debit Note Accounting For making changes/corrections in already
recorded sales/purchase transactions.
9 Purchase Order Inventory For recording of a purchase order raised on a
10 Sales Order Inventory For recording of a sales order received from a
11 Stock Journal Inventory For recording of physical movement of stock
from one location to another.
12 Physical Stock Inventory For making corrections in stock after physical
13 Delivery Note Inventory For recording of physical delivery of goods sold
to a customer.
14 Receipt Note Inventory For recording of physical receipt of goods
purchased from a vendor.
15 Memorandum Accounting For recording of transaction which will be in
the system but will not affect the trial balance.
16 Attendance Payroll For recording of attendance of employees.
17 Payroll Payroll For salary calculations.

5. Explain Characteristics / qualities of voucher number

A Voucher Number or a Document Number is a unique identity of any voucher/

document. A voucher may be identified or searched using its unique voucher number.
Characteristics of voucher numbering;
· Voucher number must be unique.
· Every voucher type shall have a separate numbering series
· A voucher number may have prefix or suffix or both, e.g. ICPL/2034/17-18. In this
case “ICPL” is the prefix, “17-18” is the suffix and “2034” is the actual number of the
· All vouchers must be numbered serially, i.e. 1,2,3,4,5,6 and so on.
· All vouchers are recorded in chronological order. If first voucher number is 51 then
next voucher number will be 52 & so on.

: 47 :
6. Explain Accounting Flow from the angle of software


Voucher Entry


Balancing Software

Trial Balance

Profit & Loss Account Balance Sheet

Flow of Accounting

As shown in the Fig. regarding the flow of accounting, in all there are seven steps in
accounting flow, out of which only first two steps require human intervention.
Remaining five steps are mechanical steps and can be performed by software with high
speed and accuracy. Also, last five steps, i.e. Posting, Balancing, Trial Balance
preparation, Profit & Loss Account preparation and Balance Sheet preparation are time
consuming jobs and requires huge efforts.

7. Explain various types of ledgers

In accounting, there are three types of ledger accounts, i.e. Personal, Real and Nominal.
But as far as Financial and Accounting Systems ledgers may be classified in two types i.e.
Ledger having Debit Balance and ledger having Credit Balance.

: 48 :

Types of Ledgers
Key Points -
· Basic objective of accounting software is to generate to two primary accounting reports, i.e.
Profit & Loss Account and Balance Sheet. Income and Expense ledgers are considered in
Profit & Loss Account and Asset and Liability ledgers are considered in Balance Sheet. Hence
every ledger is classified in one of the four categories, i.e. Income, Expense, Asset or
· Difference between Total Income and Total Expenses, i.e. Profit or Loss as the case may be,
is taken to Balance Sheet. Balance Sheet is the last point in accounting process.
· Any ledger can be categorized in any one category only, i.e. Asset, Liability, Income or
Expense. It cannot be categorized in more than one category.
· Ledger grouping is used for preparation of reports, i.e. Balance Sheet and Profit & Loss
Accounting software does not recognize any ledger as Personal, Real or Nominal, instead
it recognizes it as an Asset, Liability, Income or Expense Ledger.

8. Explain the concept of Grouping of Ledgers

· At the time of creation of any new ledger, it must be placed under a particular
group. There are four basic groups in Accounting, i.e. Income, Expense, Asset,
Liability. There may be any number of sub groups under these four basic groups.
· E.g. Cash ledger is an asset ledger and should be shown under current assets in
Balance Sheet.

: 49 :
Technical Concepts in Computerized Financial & Accounting Systems

9. Explain working of any software through ‘Front end’ and ‘back end’ modules

Working of any software

(i) Front End & Back End
• Front End - It is part of the software which actually interacts with the user who is
using the software.
• Back End - It is a part of the software which does not directly interact with the
user, but interact with Front End only.

If a user wants to have some information from the system:

• User will interact with Front End part of the software and request front end to
generate the report.
• Front End will receive the instruction from user and pass it on to the back end.
• Back End will process the data, generate the report and send it to the front end.
Front end will now display the information to user.
• This is how the process gets completed each and every time.

: 50 :

· A customer will place an order with waiter (Front End) and not with a cook (Back End)
· Waiter will receive the order and pass it on to the cook in the kitchen.
· Cook will process the food as per requirement and had it over to the waiter.
· Waiter will serve the food to the customer.

10. Explain difference between Installed Applications V/s Web Applications

· Installed Applications are programs installed on the hard disc of the user’s
· Web Applications are not installed on the hard disc of the user’s computer, it is
installed on a web server and it is accessed using a browser and internet connection.
Particulars Installed Application Web Application (Cloud based)
Installation & As software is installed on hard As software is installed on only one
Maintenance disc of the computer used by user, computer, i.e. a web server, it need
it needs to be installed on every not be installed on each computer.
computer one by one. This may Hence, installation on user
take lot of time. Also, computer is not required and
maintenance and updating of maintenance and updating of
software may take lot time and software becomes extremely easy.
Accessibility As software is installed on the As software is not installed on the
hard disc of the user’s computer, hard disc of user’s computer and it
user needs to go the computer is used through browser and
only where software is installed, internet, it can be used from any
to use the software. It cannot be computer in the world. Access to
used from any computer. the software becomes very easy.
Also, it can be used 24 x 7.
Mobile Using the software through mobile Using mobile application becomes
Application application is difficult in this case. very easy as data is available 24 x
Data Storage Data is physically stored in the Data is not stored in the user’s
premises of the user, i.e. on the server computer. It is stored on a
hard disc of the user’s server web server. Hence user will not
computer. Hence user will have have any control over the data.
full control over the data.

: 51 :
Data Security As the data is in physical control of As data is maintained on a web
the user, it cannot be accessed by server, it can be accessed by
unauthorized users. unauthorized users.
Performance A well written installed application As data is picked from web server
shall always be faster than web using internet, speed of operation
application, as data is picked from may be slower.
local server without internet.

Integrated & Non-Integrated System

11. Explain Integrated & Non Integrated System

Non – Integrated System

A Non-Integrated System is a system of maintaining data in a decentralized way. Each
department shall maintain its own data separately and not in an integrated way. This is
the major problem with non-integrated systems.

Non-Integrated Systems
Above is a typical non-integrated environment where all the departments are working
independently and using their own set of data. They need to communicate with each but
still they use their own data.
This results in two major problems:
a. Communication Gaps
b. Mismatched Data
Communication between different business units is a major aspect for success of any

Integrated System - Enterprise Resource Planning (ERP) Systems

· ERP can be defined as a system, which is a fully integrated business

management system that integrates the core business and management processes
to provide an organization a structured environment in which decisions concerning
demand, supply, operational, personnel, finance, logistics etc. are fully supported by
accurate and reliable real time information.
· An ERP system is a multi module software system that integrates all business
process and functions of the entire Enterprise into a single software system, using
a single integrated database. Each module is intended to collect, process and store
data of a functional area of the organization and to integrate with related processes.

: 52 :
· An ERP system is based on a common database and a modular software design. The
common database can allow every department of a business to store and retrieve
information in real-time.
· Ideally, the data for the various business functions are integrated. In practice the ERP
system may comprise a set of discrete applications, each maintaining a discrete data
store within one physical database.
· Some of the well-known ERPs in the market today include SAP, Oracle, MFG Pro, MS
Axapta etc.

12. Explain advantages of an ERP System

• Ability to customize an organization’s requirements;

• Integrate business operations with accounting and financial reporting functions;
• Increased data security and application controls;
• Build strong access and segregation of duties controls;
• Automate many manual processes thus eliminating errors;
• Process huge volumes of data within short time frames; and
• Strong reporting capabilities which aids management and other stakeholders in
appropriate decision making.

13. Explain various features of an Ideal ERP System

· It should caters all types of needs of an organization.

· It should provide right data at right point of time to right users for their purpose.
· It should be flexible enough to adapt to changes in the organization.
· It must have single database and contains all data for various software modules to
perform all the functions of organization to achieve goals and objectives.

14. Explain various modules of ERP

ERP modules can include the following:

• Manufacturing: Some of the functions include engineering, capacity, workflow
management, quality control, bills of material, manufacturing process, etc.
• Financials: Accounts payable, accounts receivable, fixed assets, general ledger and
cash management, etc.
• Human Resources: Benefits, training, payroll, time and attendance, etc.
• Supply Chain Management: Inventory, supply chain planning, supplier scheduling,
claim processing, order entry, purchasing, etc.

: 53 :
• Projects: Costing, billing, activity management, time and expense, etc.
• Customer Relationship Management (CRM):
§ CRM is a term applied to processes implemented by a company to handle its
contact with its customers.
§ It provides information to management as to the customer requirement,
customer account balance, payment details, types of products etc.
§ Details on any customer contacts can also be stored in the system.
§ The rationale behind this approach is to improve services provided directly to
customers and to use the information in the system for targeted marketing.
• Data Warehouse:
§ Data warehouse is a repository of an organization’s electronically stored data.
§ It is designed to extract relevant data from various databases, load it into
repository for supporting data analysis and provide data reporting.
§ Usually this is a module that can be accessed by an organizations customers,
suppliers and employees.


15. Explain various risks in ERP environment

Risks in an ERP Environment

By and large, we say that most of the risks in ERP environment are relating to data only.
These risks can be summarized as under.
· Risk of total loss of data
· Risk of partial loss of data
· Risk of unauthorised changes in data
· Risk of partial / complete deletion of data
· Risk of leakage of information
· Risk of incorrect input of data

16. Explain various risks associated and Controls required in ERP Systems

Aspect Risk Associated Control Required

Data Data is stored centrally and all the Access rights need to be defined very
Access departments access the central carefully. Access to be given on
data. This creates a possibility of “Need to know” and Need to do”
access to non-relevant data. basis only.

: 54 :
Data As there is only one set of data, if Back up arrangement needs to be
Safety this data is lost, whole business very strong. Also strict physical
may come to stand still. control is needed for data.
Speed of As data is maintained centrally, This can be controlled by removing
Operation gradually the data size becomes redundant data on a continuous
more and more and it may reduce basis.
the speed of operation.
Change in As the overall system is integrated, All the processes must be documents
process a small change in process for one carefully in the beginning of
department may require lot of implementation itself so as to avoid
efforts and money. any discomfort in future.
Staff As the overall system is integrated This can be controlled and minimized
Turnover and connected with each other with help of proper staff training
department, it becomes system, having help manuals, having
complicated and difficult to backup plans for staff turnover, etc.
understand. In case of staff
turnover, it becomes increasingly
difficult to maintain the system.
System As everybody is connected to a This can be controlled and minimized
Failure single system and central database, by having proper and updated back
in case of failure of system, the up of data as well as alternate
whole business may come to stand hardware / internet arrangements.
still may get affected badly. In case of failure of primary system,
secondary system may be used.

17. Explain role Based Access Control (RBAC) in ERP System

· In computer systems security, role-based access control is an approach to
restricting system access to authorized users.
· Roles for staff are defined in organization and access to the system can be given
according to the role assigned.
· E.g. a junior accountant in accounting department is assigned a role of recording
basic accounting transactions, an executive in human resource department is
assigned a role of gathering data for salary calculations on monthly basis, etc.
Types of Access
While assigning access to different users, following options are possible.
(i) Create - Allows to create data
(ii) Alter - Allows to alter data
(iii) View - Allows only to view data
(iv) Print - Allows to print data
Above type of access can be allowed / disallowed for -
a. Master Data
b. Transaction Data
c. Reports

: 55 :
18. Audit of ERP System

Some of the questions auditors should ask during an ERP audit are pretty much the same
as those that should be asked during development and implementation of the system:
• Does the system process according to GAAP (Generally Accepted Accounting
Principles) and GAAS (Generally Accepted Auditing Standards)?
• Does it meet the needs for reporting, whether regulatory or organizational?
• Were adequate user requirements developed through meaningful interaction?
• Does the system protect confidentiality and integrity of information assets?
• Does it have controls to process only authentic, valid, accurate transactions?
• Are effective system operations and support functions provided?
• Are all system resources protected from unauthorized access and use?
• Are user privileges based on what is called “role-based access?”
• Is there an ERP system administrator with clearly defined responsibilities?
• Is the functionality acceptable? Are user requirements met? Are users happy?
• Have workarounds or manual steps been required to meet business needs?
• Are there adequate audit trails and monitoring of user activities?
• Can the system provide management with suitable performance data?
• Are users trained? Do they have complete and current documentation?
• Is there a problem-escalation process?



19. What is a Business Process. Explain examples.

A Business Process consists of a set of activities that are performed in coordination in an
organizational and technical environment. These activities jointly realize a business goal.
Each business process is enacted by a single organization, but it may interact with
business processes performed by other organizations. To manage a process-
· The first task is to define it. This involves defining the steps (tasks) in the process
and mapping the tasks to the roles involved in the process.
· Once the process is mapped and implemented, performance measures can be
established. Establishing measurements creates a basis to improve the process.
· The last piece of the process management definition describes the organizational
setup that enables the standardization of and adherence to the process throughout
the organization.

: 56 :
20. Explain Accounting process flow in Accounting Cycle.

· Accounting or Book keeping cycle covers the business processes involved in

recording and processing accounting events of a company.
· It begins when a transaction or financial event occurs and ends with its inclusion in
the financial statements.
· A typical life cycle of an accounting transaction may include the following
transactions as depicted in Fig.:

(a) Source Document: A document that captures data from transactions and events.
(b) Journal: Transactions are recorded into journals from the source document.
(c) Ledger: Entries are posted to the ledger from the journal.
(d) Trial Balance: Unadjusted trial balance containing totals from all account heads is
(e) Adjustments: Appropriate adjustment entries are passed.
(f) Adjusted Trial balance: The trial balance is finalized post adjustments.
(g) Closing Entries: Appropriate entries are passed to transfer accounts to financial
(h) Financial statement: The accounts are organized into the financial statements.

21. Explain different nature & types of business.

There are three different nature and types of businesses that are operated with the
purpose of earning profit. Each type of business has distinctive features.
• Trading Business - Trading simply means buying and selling goods without any
modifications, as it is. Hence inventory accounting is a major aspect in this case.
Purchase and sales transactions cover major portion of accounting. This industry
requires accounting as well as inventory modules.
• Manufacturing Business - This type of business includes all aspects of trading
business plus additional aspect of manufacturing. Manufacturing is simply buying
raw material, changing its form and selling it as a part of trading. Here also,
inventory accounting plays a major role. This type of industry requires accounting

: 57 :
and complete inventory along with manufacturing module.
• Service Business - This type of business does not have any inventory. It is selling of
skills / knowledge / Efforts / time. E.g. Doctors, Architects, Chartered Accountants,
are the professionals into service business. There may be other type of business
into service, i.e. courier business, security service, etc. This industry does not
require inventory module.

22. Explain various Business Process Modules in ERP

· Financial Accounting Module

· Controlling Module
· Sale & distribution Module
· Human Resource Module
· Production planning (PP) Module
· Material Management (MM) Module
· Quality Management Module
· Plant Maintenance Module
· Project Systems Module
· Supply Chain Module
· Customer Relationship Module (CRM)

23. Explain Financial Accounting Module & key features of Financial Accounting
This module is the most important module of the overall ERP System and it
connects all the modules to each other. Every module is somehow connected
with module.
Following are the key features of this module:
• Tracking of flow of financial data across the organization in a controlled
manner and integrating all the information for effective strategic decision
• Creation of Organizational Structure (Defining Company, Company Codes,
business Areas, Functional Areas, Credit Control, Assignment of Company
Codes to Credit Controls).
• Financial Accounting Global Settings (Maintenance of Fiscal Year, Posting
Periods, defining Document types, posting keys, Number ranges for
• General Ledger Accounting (Creation of Chart of Accounts, Account groups,

: 58 :
defining data transfer rules, creation of General Ledger Account).
• Tax Configuration & Creation and Maintenance of House of Banks.
• Account Payables (Creation of Vendor Master data and vendor-related
finance attributes like account groups and payment terms).
• Account Receivables (Creation of Customer Master data and customer-
related finance attributes like account groups and payment terms.
• Asset Accounting.
• Integration with Sales and Distribution and Materials Management.

24. Explain Controlling Module & key features of Controlling Module

This module facilitates coordinating, monitoring, and optimizing all the processes
in an organization. It controls the business flow in an organization. This module
helps in analyzing the actual figures with the planned data and in planning
business strategies. Two kinds of elements are managed in Controlling - Cost
Elements and Revenue Elements. These elements are stored in the Financial
Accounting module.
Key features of this module are as under:
• Cost Element Accounting (Overview of the costs and revenues that occur in
an organization);
• Cost Center Accounting;
• Activity-Based-Accounting (Analyzes cross-departmental business processes);
• Internal Orders;
• Product Cost Controlling (Calculates the costs that occur during the
manufacture of a product or provision of a service);
• Profitability Analysis; and
• Profit Center Accounting (Evaluates the profit or loss of individual,
independent areas within an organization).

25. Explain Sales & distribution Module & key features of Sales & distribution

It has a high level of integration complexity. Sales and Distribution is used by

organizations to support sales and distribution activities of products and services,
starting from enquiry to order and then ending with delivery.
This module includes various activities that take place in an organization such as
products enquires, quotation, placing order, pricing, scheduling deliveries, picking,
packing, goods issue, shipment of products to customers, delivery of products and

: 59 :
In all these processes, multiple modules are involved such as FA (Finance &
Accounting), CO (Controlling), MM (Material Management), PP (Production
Planning), LE (Logistics Execution), etc., which shows the complexity of the
integration involved.

Sales and Distribution with ERP

Key features of Sales and Distribution Module are discussed as under:
• Setting up Organization Structure (creation of new company, company codes,
sales organization, distribution channels, divisions, business area, plants, sales
area, maintaining sales offices, storage location)
• Assigning Organizational Units (Assignment of individual components created in
the above activities with each other according to design like company code to
company, sales organization to company code, distribution channel to sales
organization, etc.)
• Defining Pricing Components (Defining condition tables, condition types, condition
• Setting up sales document types, billing types, and tax-related components
• Setting up Customer master data records and configuration

26. Explain Sales & distribution Process

• Pre - Sales Activities – Includes process of prospecting of customers, identifying
prospective customers, gathering data, contacting them and fixing appointments,
showing demo, discussion, submission of quotations, etc.
• Sales Order - Sales order is recorded in our books after getting a confirmed
purchased order from our customer. Sales order shall contain details just like
purchase order. E.g. Stock Item Details, Quantity, Rate, Due Date of Delivery, Place
of Delivery, etc.
• Inventory Sourcing - It includes making arrangements before delivery of goods,
ensuring goods are ready and available for delivery.

: 60 :
• Material Delivery - Material is delivered to the customer as per sales order. All
inventory details are copied from Sales Order to Material Delivery for saving user’s
time and efforts. This transaction shall have a linking with Sales Order. Stock
balance shall be reduced on recording of this transaction.
• Billing - This is a transaction of raising an invoice against the delivery of material to
customer. This transaction shall have a linking with Material Delivery and all the
details shall be copied from it. Stock balance shall not affect again.
• Receipt from Customer - This is a transaction of receiving amount from
customer against sales invoice and shall have a linking with sales invoice.

27. Write short note on Human Resource Module

· This module enhances the work process and data management within HR
department of enterprises. Human resource is the most valuable asset for an
organization. Utilization of this resource in most effective & efficient way is an
important function for any organization.
· The most important objective of master data administration in Human Resources
is to enter employee-related data for administrative, time-recording, and payroll
purposes. This module maintains total employee database including wages &
attendance, preparing wage sheet for workmen, handle provident fund etc.
· The objectives of HR Management is:
§ To ensure least to least disputes,
§ To right utilization of manpower,
§ To keep status and track of employee’s efficiency, and
§ To keep track of leave records of all employees
· It contains skill database of all users with details of qualifications, training,
experience, interests etc. for allocating manpower to right activity at the time of
· It includes various functions such as Recruitment Management, Personnel
administration, Training Management, Attendance Management, Payroll
Management, Promotion Management.

28. Write short note on Production Planning (PP) Module

PP Module is includes software designed specifically for production planning and

management. This module also consists of master data, system configuration and
transactions in order to accomplish plan procedure for production. PP module
collaborate with master data, sales and operations planning, distribution resource
planning, material requirements planning, product cost planning and so on while working
towards production management in enterprises.

Process in Production Planning Module

: 61 :
29. Write short note on Material Management (MM) Module

· MM Module manages materials required, processed and produced in enterprises.

Different types of procurement processes are managed with this system.
· Various sub components of MM module are vendor master data, consumption
based planning, purchasing, inventory management, invoice verification and so on.
· It also deals with movement of materials via other modules like logistics, Supply
Chain Management, sales and delivery, warehouse management, production and

Process showing Overall Purchase Process

30. Explain purchase process under MM Module

· Purchase Requisition from Production Department - Production department sends a

request to purchase department for purchase of raw material required for production.
· Evaluation of Requisition - Purchase department shall evaluate the requisition with the
current stock position and purchase order pending position and shall decide about accepting
or rejection the requisition.
· Asking for Quotation - If requisition is accepted, quotations shall be asked to approve
vendors for purchase of material.
· Evaluation of quotations - Quotations received shall be evaluated and compared.
· Purchase Order – Purchase order will be prepared by purchase department of organization
after evaluation of various quotations and send it to vendors stating details about the
product willing to buy such as description, quantity, rate, delivery due date etc.
· Material Receipt - This is a transaction of receipt of material against purchase order. This is
commonly known as Material Receipt Note (MRN) or Goods Receipt Note (GRN). This
transaction shall have a linking with Purchase Order. Stock is increased after recording of this

: 62 :
· Issue of material - Material received by stores shall be issued to production department as
per requirement.
· Purchase Invoice - This is a financial transaction. Trial balance is affected due this
transaction. Material Receipt transaction does not affect trial balance. This transaction shall
have a linking with Material Receipt Transaction and all the details of material received shall
be copied automatically in purchase invoice. As stock is increased in Material Receipt
transaction, it will not be increased again after recording of purchase invoice.
· Payment to Vendor - Payment shall be made to vendor based on purchase invoice recorded
earlier. Payment transaction shall have a linking with purchase invoice.

31. Write short note on Quality Management (QM) Module.

Quality Management Module helps in management of quality in productions across

processes in an organization. It helps an organization to accelerate their business by
adopting a structured and functional way of managing quality in different processes. It
has various sub components such as collaboration in procurement and sales, production,
planning, inspection, notification, control, audit management and so on.

Plan Quality

Quality Management Plan Quality Management Plan

Check List

Quality Metrics Quality Metrics

Quality Control
Perform Quality Perform Quality
Assurance Control

Change Requests Work Performance Information


Approved Change
Perform Integrated Direct & Manage Project
Change Control Execution

Process in Quality Management Module

32. Explain Quality Management process under QM Module

Quality Management Process includes the following:
• Master data and standards are set for quality management;
• Set Quality Targets to be met;
• Quality management plan is prepared;
• Define how those quality targets will be measured;
• Take the actions needed to measure quality;

: 63 :
• Identify quality issues and improvements and changes to be made;
• In case of any change is needed in the product, change requests are sent;
• Report on the overall level of quality achieved; and
• Quality is checked at multiple points, e.g. inwards of goods at warehouse,
manufacturing, procurement, returns.

33. Write short note on Plant Maintenance (PM) Module.

This is a functional module which handles the maintaining of equipment and enables
efficient planning of production and generation schedules. Plant Maintenance (PM)
application component provides you with a comprehensive software solution for all
maintenance activities that are performed within a company. It supports cost-efficient
maintenance methods, such as risk-based maintenance or preventive maintenance, and
provides comprehensive outage planning and powerful work order management.

Process in Plant Maintenance

34. Write short note on Project Systems Module.

This is an integrated project management tool used for planning and managing projects.
It has several tools that enable project management process such as cost and planning
budget, scheduling, requisitioning of materials and services.

Project Request

Create Create Project Budgeting Project Project

Templates Project Planning and Release Implementation Completion

Process in Project Systems

: 64 :
35. Write short note on Supply Chain Module.

It is cross functional system used to provide information about movement of raw

materials from supplier’s place to organization and movement of finished goods from
organization’s place to customer’s place. It provides tracking of raw material, work in
progress and finished goods.
It has various components such as logistics management, inventory management,
production management, distribution management.

Process in Supply Chain

36. Write short note on Customer Relationship Management (CRM) Module.

· It provides information to management as to the customer requirement, customer

account balance, payment details, types of products etc.
· Details on any customer contacts can also be stored in the system.
· It helps in managing company’s interaction with customers, managing customer
relationships through marketing, customer service and technical support.
· It addresses customer’s issues and problems within a prescribed time in an efficient

37. Explain various benefits of CRM Module.

Key benefits of a CRM module are as under.

• Improved customer relations:
§ It helps in obtaining better customer satisfaction. By using this strategy, all
dealings involving servicing, marketing, and selling your products to your
customers can be carried out in an organized and systematic way.
§ It also helps in understanding all queries and complaints of customers &
provides instant better solution and this in turn helps in increasing customer
loyalty. In this way, you can also receive continuous feedback from your
customers regarding your products and services.
• Increase customer revenues: It helps in increasing the revenue of company by
doing effective marketing campaign on the basis of customer’s data collected. It

: 65 :
ensure that the product promotions reach a different and brand new set of
customers, and not only to existing ones who had already purchased product, and
thus effectively increase customer revenue.
• Maximize up-selling and cross-selling: A CRM system allows up-selling which is
the practice of giving customers premium products that fall in the same category
of their purchase. The strategy also facilitates cross selling which is the practice of
offering complementary products to customers, based on their previous
purchases. This is done by interacting with the customers and getting an idea
about their wants, needs, and patterns of purchase. The details thus obtained will
be stored in a central database, which is accessible to all company executives.
• Better internal communication: It helps in building up better communication
within the company. The sharing of customer data between different departments
will enable them to work as a team. This is better than functioning as an isolated
entity, as it will help in increasing the company’s profitability and enabling better
service to customers.
• Optimize marketing: It helps in understanding customer needs and behavior,
thereby allowing to identify the correct time to market your product to the
customers. CRM will also give you an idea about the most profitable customer
groups so that they can be targeted at the right time. In this way, organization will
be able to optimize marketing resources efficiently and avoid wasting time and
resources on less profitable customer groups.

38. Explain various concepts of Inventory Accounting concepts

Inventory stands for list of stock items intended for trading or consumption. It includes
raw material, work in process, finished goods and consumables. All the transactions
involving inventory are covered in this module.

: 66 :
Inventory Accounting Concepts
S.No. Concept Description
1 Stock Item of stock intended for sale / consumption in normal course of
Item business. E.g. for a person dealing in white goods, TV, Fridge, Air
Conditioner, Cooler, Heater shall be inventory for him.
2 Stock Group used for reporting of similar stock items, e.g. All television of
Group different sizes of one brand are placed under one group for reporting
3 Godown Just like physical godown, this is an electronic place for storing stock
items in the software.
4 Unit of A unit for measuring movement of stock items, e.g. kilogram, litre,
measure meter numbers, dozens, boxes, pieces, pairs,, etc. Units of measures
are attached to stock items and not stock groups. Normally a unit of
measure once set cannot be altered after recording of transactions in
a stock item.
5 Re-order It is level of stock set for placing an order for purchase. If stock
Level balance for a stock item touches this level, order for purchase of
goods is to be placed.
6 Price It is pre-decided rate structure for different stock items for different
Levels customers for different quantities. E.g. We may have three different
types of customers as Wholesale, Retail and Government. Three
different selling rates may be applied for these three different types
of customers. Also, there may be a different rate structure depending
on the quantity purchased.
7 Stock Identifying age of stock items and arranging it as per its age. This is
Ageing necessary as “Old is Gold” hardly works in Inventory Management in
today’s ever changing world. As the age of stock item increases, it
becomes increasingly difficult to sell it and possibility of loss increases
day by day.
8 Cost To arrive at the correct value of closing stock and to obtain correct
Tracking data for management decisions, all the costs associated with
procurement of inventory must be tracked and added to inventory
costs. E.g. Purchase cost is recorded through purchase transactions.
But costs like loading/ unloading, transportation, insurance, etc. paid
separately are not recorded in purchase voucher and hence need to
be added to cost of stock items separately. This is possible with cost
9 Batch This concept is used in manufacturing of goods. Every batch of
production is given a unique number as a batch number. At the time
of checking stock balance, batch wise stock is identified and
separated for handling purpose. At the time of all movement of
goods, stock is updated along with batch. This is again used for
knowing balance for old and new batches.
10 Expiry This is a concept associated with Batch. This is used for perishable
Dates goods, food items, medicines, etc. At the time of buying or
manufacturing of such goods, expiry date is set. Based on this already

: 67 :
set expiry date, position of “expired stock” and “about to expire
stock” is displayed. This information is useful management for taking
inventory related decisions.

Integration with Other Modules

Any ERP System is like human body. There are different units and each unit relates to
another units. All the units must work in harmony with other units to generate desired

39. Explain important points for integration of modules with Financial & Accounting

Following points are important for integration of modules with Financial & Accounting
• Master data across all the modules must be same and must be shared with other
modules where-ever required.
• Common transaction data must be shared with other modules where-ever
• Separate voucher types to be used for each module for easy identification of
department recording it.
• Figures and transaction may flow across the department, e.g. closing stock value is
taken to Trading Account as well as Balance Sheet. Closing stock quantity is
required by Purchase Department, Stores Department, Accounts Department,
Production Department etc. Hence, it is necessary to design the system

40. Explain important points for integration with other modules

Some of the points where integration with other modules is required are discussed here.

(i) Material Management Integration with Finance & Controlling (FICO)

It is integrated in the area like Material Valuation, Vendor payments, Material costing
etc. Whenever any inventory posting is done, it updates the G/L accounts online in the
background. Logistics invoice verification will create vendor liability in vendor account
immediately on posting the document. Any advance given against the purchase order
updates the Purchase Order history. For every inventory posting there is corresponding
Controlling document to update profit center accounting reporting.

: 68 :
(ii) Human Resource Module Integration with Finance & Controlling
Attendance and leave record is used for calculation of salary on monthly basis. Salary is
also a part of financial accounting. Hence salary processed and calculated by Human
Resource Module shall be integrated with Finance & Controlling Module.

(iii) Material Management Integration with Production Planning (PP)

It is integrated in the areas like Material Requirement Planning, Receipts/issues against
production orders, Availability check for stocks etc. Material requirement Planning is d-
based on Stocks, expected receipts, expected issues. It generates planned orders or
purchase requisitions which can be converted to purchase orders/Contracts. Inventory
Management is responsible for staging of the components required for production
orders. The receipt of the finished products in the Warehouse is posted in Inventory

(iv) Material Management Integration with Sales & Distribution (SD)

It is integrated in the areas like Delivery, Availability Check, Stock transfers requirements
etc. As soon as a sales order is created, it can initiate a dynamic availability check of
stocks on hand. When the delivery is created, the quantity to be delivered is marked as
“Scheduled for delivery”. It is deducted from the total stock when the goods issue is
posted. Purchase order can be directly converted to delivery for a stock transfer

(v) Material Management Integration with Quality Management (QM)

It is integrated with QM for Quality inspection at Goods Receipt, In process inspection
etc. In the case of a goods movement, the system determines whether the material is
subject to an inspection operation. If so, a corresponding activity is initiated for the
movement in the Quality Management system. Based on quality parameters vendor
evaluation is done.

(vi) Material Management Integration with Plant Maintenance (PM)

The material/service requirement is mentioned in Maintenance order. This leads to
generation of Purchase Requisition. This PR will be converted to Purchase Order by MM.
The goods for a PO will be in warded to Maintenance by MM. The spares which were
reserved for maintenance order will be issued by MM against the reservation number.

: 69 :
41. Explain Management Information System (MIS)

· It is a system which provides accurate, timely and meaningful data to managers

for decision making.

· MIS systems automatically collect data from various areas within a business. These
systems can produce daily reports that can be sent to key members throughout the
· Most MIS systems can also generate on-demand reports. On-demand MIS reports
allow managers and other users of the system to generate an MIS report whenever
they need it.
· It provides various types of sales reports i.e. month wise, quarter wise etc.
· It is user friendly system.

42. Explain various benefits / criteria of MIS

• Relevant - MIS reports need to be specific to the business area they address. This is
important because a report that includes unnecessary information might be
• Timely – It provides information to the manager as and when it is required by him.
An example of timely information for your report might be customer phone calls
and emails going back 12 months from the current date.
• Accurate – It should provide accurate information to the manager. Managers and
others who rely on MIS reports can’t make sound decisions with information that is
wrong. Financial information is often required to be accurate to the decimal. In
other cases, it may be OK to round off numbers.
• Structured - Information in an MIS report can be complicated. Making that
information easy to follow helps management understand what the report is saying.
Try to break long passages of information into more readable blocks or chunks and
give these chunks meaningful headings.


Data Analytics is the process of examining data sets to draw conclusions about the
information they contain, increasingly with the aid of specialized systems and software.
Data analytics technologies and techniques are widely used in commercial industries to
enable organizations to make more-informed business decisions and by scientists and
researchers to verify or disprove scientific models, theories and hypotheses.

: 70 :
43. Explain Business Intelligence (BI)

· Bl in simple words refers to the process of collecting and refining information from
many sources, analyzing and presenting the information in useful ways so that
users can make better business decisions.
· Business intelligence (Bl) is a set of theories, methodologies, architectures, and
technologies that transform raw data into meaningful and useful information for
business purposes.
· Bl has been made possible because of advances in a number of technologies, such
as computing power, data storage, computational analytics, reporting and
· From the perspective of decision making, Bl uses data about yesterday and
today to facilitate making better decisions about tomorrow.
· This is done through arranging information in a manner that best provides
insights into the future thus making enterprise to work smarter.
· Bl enables managers to see things with more clarity, and empowers them to peek
into the possible future.

Fig. showing example of Business Intelligence use .

: 71 :

Example of Business Intelligence

Business Intelligence uses data from different sources and helps to finds answers to
various questions as shown on right hand side of above image.
BI data can include historical information, as well as new data gathered from source
systems as it is generated, enabling BI analysis to support both strategic and tactical
decision-making processes. Initially, BI tools were primarily used by data analysts and
other IT professionals who ran analyses and produced reports with query results for
business users. Increasingly, however, business executives and workers are using BI
software themselves, thanks partly to the development of self-service BI and data
discovery tools.


44. What is business reporting and why it is important

Business Reporting or Enterprise Reporting is the public reporting of operating and

financial data by a business enterprise, or the regular provision of information to
decision-makers within an organization to support them in their work.
Reporting is a fundamental part of the larger movement towards improved business
intelligence and knowledge management. Often implementation involves Extract,

: 72 :
Transform, and Load (ETL) procedures in coordination with a data warehouse and then
using one or more reporting tools. While reports can be distributed in print form or via
email, they are typically accessed via a corporate intranet.
Organizations conduct a wide range of reporting, including financial and regulatory
reporting; Environmental, Social, and Governance (ESG) reporting (or sustainability
reporting); and, increasingly, integrated reporting.
Organizations communicate with their stakeholders about:
Ÿ mission, vision, objectives, and strategy;
Ÿ governance arrangements and risk management;
Ÿ financial, social, and environmental performance (how they have fared against
their objectives in practice).

Importance of Business Reporting

· Effective and transparent business reporting allows organizations to present
detailed explanation of their business and helps them engage with internal and
external stakeholders, including customers, employees, shareholders, creditors, and
· It helps stakeholders to assess organizational performance and make informed
decisions with respect to an organization’s capacity to create and preserve value.
· As organizations fully depend on their stakeholders for sustainable success, it is in
their interest to provide them with high- quality reports. For example, effective
high-quality reporting reduces the risk for lenders and may lower the cost of capital.
· High-quality reports also promote better internal decision-making.
· High-quality information is integral to the successful management of the business,
and is one of the major drivers of sustainable organizational success.

45. Explain XBRL

· XBRL (extensible Business Reporting Language) is a freely available and global
standard for exchanging business information.
· XBRL is used by Government, companies, regulators, Accountants and Investors.
· One use of XBRL is to define and exchange financial information, such as a financial
· XBRL provides a language in which reporting terms can be used to uniquely
represent the contents of financial statements or other kinds of compliance,
performance and business reports. XBRL let’s reporting information move between
organizations rapidly, accurately and digitally.
· XBRL makes reporting more accurate and more efficient.

: 73 :
46. What is XBRL tagging?
XBRL Tagging is the process by which any financial data is tagged with the most
appropriate element in an accounting taxonomy (a dictionary of accounting terms) that
best represents the data in addition to tags that facilitate identification/classification
(such as enterprise, reporting period, reporting currency, unit of measurement etc.).
Since all XBRL reports use the same taxonomy, numbers associated with the same
element are comparable irrespective of how they are described by those releasing the
financial statements.
Comprehensive definitions and accurate data tags allow preparation, validation,
publication, exchange, consumption; and analysis of business information of all kinds.
Information in reports prepared using the XBRL standard is interchangeable between
different information systems in entirely different organizations. This allows for the
exchange of business information across a reporting chain. People that want to report
information, share information, publish performance information and allow straight
through information processing all rely on XBRL.

47. What is basic purpose of XBRL. Discuss its important features as well.

XBRL is used in many ways, for many different purposes, including by:

(i) Regulators
· Financial regulators that need significant amounts of complex performance
and risk information about the institutions that they regulate.
· Securities regulators and stock exchanges that need to analyze the
performance and compliance of listed companies and securities, and need to
ensure that this information is available to markets to consume and analyze.
· Business registrars that need to receive and make publicly available a range of
corporate data about private and public companies, including annual financial
· Tax authorities that need financial statements and other compliance
information from companies to process and review their corporate tax affairs.

(ii) Companies
· Companies that need to provide information to one or more of the regulators
mentioned above.
· Enterprises that need to accurately move information around within a complex

: 74 :
(iii) Governments
· Government agencies that are simplifying the process of businesses reporting
to government
· Government agencies that are improving government reporting by
standardizing the way that consolidated or transactional reports are prepared
and used within government agencies and/or published into the public

(iv) Data Providers

· Specialist data providers that use performance and risk information published
into the market place and create comparisons, ratings and other value-added
information products for other market participants.

(v) Analysts and Investors

· Analysts that need to understand relative risk and performance.
· Investors that need to compare potential investments and understand the
underlying performance of existing investments.

(vi) Accountants
· Accountants use XBRL in support of clients reporting requirements and are
often involved in the preparation of XBRL reports.

Important features of XBRL

Ÿ Clear Definitions: XBRL allows the creation of reusable, authoritative definitions,
called taxonomies that capture the meaning contained in all the reporting terms
used in a business report, as well as the relationships between all of the terms.
Ÿ Testable Business Rules: XBRL allows the creation of business rules that constrain
what can be reported. Business rules can be logical or mathematical, or both and
can be used, for example, these business rules can be used to:
o stop poor quality information being sent to a regulator or third party, by
being run by the preparer while the report is in draft.
o flagging or highlighting questionable information, allowing prompt follow
up, correction or explanation.
o create ratios, aggregations and other kinds of value-added information,
based on the fundamental data provided.
· Multi-lingual Support: XBRL allows concept definitions to be prepared in as many
languages as necessary. Translations of definitions can also be added by third parties.
This means that it’s possible to display a range of reports in a different language to
the one that they were prepared in, without any additional work.
· Strong Software Support: XBRL is supported by a very wide range of software from
vendors large and small, allowing a very wide range of stakeholders to work with the

: 75 :
What is Regulatory Compliance?
In general, Compliance means conforming to a rule, such as a specification, policy,
standard or law. Regulatory Compliance describes the goal that organizations aspire to
achieve in their efforts to ensure that they are aware of and take steps to comply with
relevant laws, policies, and regulations.
Regulatory compliance is an organization’s adherence to laws, regulations, guidelines and
specifications relevant to its business. Violations of regulatory compliance regulations
often result in legal punishment, including interest, penalty and prosecution in some
By and large we can classify the compliance and regulatory requirements in two types as
a. General - Applicable to all irrespective of anything.
b. Specific - Applicable to specific type of businesses only.
E.g. Income Tax compliance is applicable to all subject to basic exemption limit. But
compliance regarding GST, Labour Law, Company Law, etc. are applicable to specific type
of businesses / entities only.

Regulatory Compliance and Accounting Systems

Regulatory compliance and accounting systems are closely connected with each other.
Most of the regulatory compliance requires accounting data and accounting data comes
from accounting systems. E.g. Income tax returns are prepared based on accounting data
only. There may be two approaches for making compliances requiring accounting data.
a. Using same software for accounting and tax compliance; and
b. Using different software for accounting and tax compliance.
Software is needed for tax compliances as almost all the tax compliance today is through
electronic mode only. If separate software is used for accounting and tax compliance, we
need to put data in tax compliance software either manually or electronically. There are
some pros and cons of both the approaches as discussed in the Table.

48. What are the pros and cons of having single software for accounting and tax
Pros and Cons of having single software for
Accounting and Tax Compliance
S.No. Particulars Accounting & Tax Compliance Only Tax Compliance
Software Software
1 Ease of Less - as this is integrated system More - as this is used only for
software of accounting and tax one single purpose, i.e. tax
operation compliance, everything compliance, it is less
connected with other and making complicated and bound to be
changes at one place may affect easy.
other aspects also.

: 76 :
2 Features Less - as this system is not an More - as this is an exclusive
and facilities exclusive system for tax and specifically designed
compliance, it may have limited system for tax compliance,
features for tax compliance. naturally more features and
facilities shall exist in this
3 Time and Less - as this is an integrated More - as this is a separate
efforts system, time required to transfer software, data from
required data to compliance software is accounting software need to
zero. put in this for preparation of
returns. This may take extra
time and efforts.
4 Accuracy More - As this is an integrated Less - as there are two
Cost system and hence accounting separate system, reconci-
data and tax compliance data liation with accounting data is
shall always be same. No need to needed, possibility of
transfer data to compliance mismatch of data is always
software and reconcile the data. there.
5 More - if tax compliance feature Less - as this is specific
is not available in accounting purpose software, there shall
system, getting it customized be less complications and the
may require some amount of cost cost also shall be less.
which may be higher than buying
separate software.

: 77 :



: 78 :
Section 1: Information Systems Components
1. What is Information system
· Data is a raw fact and can take the form of a number or statement, such as a
date or a measurement, which has no meaning.

· Processed data is known as information.
· Information is organized and compiled data that has some value to the
receiver or information is data that has been transferred into a meaningful
and useful form for specific purpose.

· The system is a set of mutually related, coordinated elements or components
that operate together to accomplish common objectives by taking inputs and
producing outputs in an organized manner.

Information System:
· It is a combination of people, hardware, software, communication
devices, network and data resources that processes data and generates
information for a specific purpose.
· In other words, Information System is a set of interrelated components working
together to collect, retrieve, process, store and disseminate (distribute)
information for the purpose of achieving objectives such as planning,
coordination, analysis and decision making.
Five activities of Generic System:

· Input- is the data flowing into the system from outside

· Processing- is converting the input into useful form
· Output- is the information flowing out of a system
· Storage- is the means of holding information for use at a later date
· Feedback- occurs when the outcome has an influence on the input.

2. What are the Characteristics of information system / computer based

information system?
· All system works for predetermined objectives & the system is designed &
developed accordingly.

: 79 :
· Systems have number of interrelated & interdependent sub-system. No
sub-systems can function in isolation. It depends on other sub-systems for
· If one sub-system / component fails, in most of the cases the whole system
doesn’t work.
· The way a sub-system works with another sub-systems is called as
interaction. The different sub-systems interact with each other to achieve the
goals of the system.
· The work done by individual sub-systems is integrated to achieve the central
goal of the system.

3. Explain the components of Information System (PM)

· Information System is a set of interrelated components working together to

collect, retrieve, process, store and disseminate (distribute) information for the
purpose of achieving objectives such as planning, coordination, analysis and
decision making.
· The main purpose of Information system is to convert the data into information
which is useful and meaningful.
· An Information system [IS] consists of four basic
concepts/components/basic resources:
§ People: Human resources consist of end users and IT specialists.
§ Hardware: Hardware involves machines and media.
§ Software: Software resources consist of programs and procedures.
§ Data: Data resources includes data, model, and knowledge base
§ Network & communication system: Network means communication media
and includes Internet, Intranet and Extranet.
· All components of information systems are mutually connected and cannot
exist individually.

4. What is meant by Hardware?

· Hardware is the tangible portion / physical component of computer

systems which a user can touch and see.
· It basically consists of devices that perform the functions of input,
processing, data storage and output activities of the computer.
· Hardware consists of Input devices, Processing devices, data storage
devices and output devices.

: 80 :

5. Explain briefly about Input devices and processing devices (Central

processing Unit)?

Input devices:

· Are devices through which we interact with the systems

· i.e. Input devices are used for providing data and instructions to computer.
· They include devices like Keyboard, Mouse and other pointing devices,
Scanners & Bar code, Webcams, and Microphone.
§ Keyboard helps to provide text based input.
§ Mouse helps to provide menu or selection based input.
§ Scanners & Webcams help to provide image based input.
§ Microphone helps to provide voice based input.

Processing devices:
Central Processing Unit (CPU):
· It is like the brain / heart of the computer.
· The CPU is built on a small chip of silicon and it can contain several million
· The main function of CPU or Processor is to interpret and execute
Programs stored in memory and coordinates the other hardware devices.
· It consists of three functional units:
§ Control Unit (CU): CU controls the flow of data and instruction to and from
memory, interprets the instruction and controls which tasks to execute
and when.

§ Arithmetic and Logical Unit (ALU): Performs arithmetic operations such

as addition, subtraction, multiplication, and logical operations such as AND,
OR, NOT and comparison operations such as Equal to, Greater than, Less
than, etc.

§ Registers: These are high speed memory / storage units within CPU for
storing small amount of data (mostly 32 or 64 bits). Registers are used as
work area for temporary storage of instructions and data during the
operations of the control and Arithmetical Logical Unit.

Registers could be:

: 81 :
· Accumulators: They store the intermediate results of a processing or can keep
running totals of arithmetic values.
· Address Registers: They can store memory addresses which tell the CPU as to
where in the memory an instruction is located.
· Storage Registers: They can temporarily store data that is being sent to or
coming from the system memory.
· Miscellaneous: These are used for several functions for general purpose.
(Q: What is CPU. What are the three functional units of CPU) (PM)
6. Explain briefly about Memory concept?
Explain about data storage devices.
As the name indicates this type of devices refer to the memory where data and
programs are stored. Various types of memory techniques/devices are given as

A. Internal memory:

(i) Registers: Registers are internal memory within CPU, which are very
fast and very small.

(ii) Cache Memory:

· Cache can be used in order to bridge the speed differences
between Registers and Primary memory (RAM).
· It is a smaller, faster memory, which stores copies of the data
from the most frequently used main memory locations so that
Processor / Registers can access it more rapidly than it’s access
from main memory.
B. Primary Memory: These are devices in which any location can be accessed
in any order (in contrast with sequential order) i.e. randomly. These are
primarily of two types:

(i) Random Access Memory (RAM):

· This is Read Write memory.
· Information can be read as well as modified (i.e. write).
· Volatile in nature means Information is lost as soon as power is
turned off.
· RAM is an expandable memory i.e. we can expand the size of
(ii) Read Only Memory (ROM):
· This is non-volatile in nature (content remains even in absence of
· Information can be read, not modified.
· Generally used by manufacturers to store data & Programmes like
startup program and configuration of computer.

: 82 :
· ROM is provided by manufacturer on motherboard and generally it
is not expandable memory.
C. Virtual Memory:
· Virtual Memory is not an actual Memory, it’s an imaginary memory. It is a
memory technique which helps to execute big size programs with small
size available RAM.
· If a computer lacks the RAM needed to run a Program or operation,
Windows uses virtual memory to compensate.
· Virtual memory combines computer's RAM with temporary space on
the hard disk. When RAM runs low, virtual memory moves data from
RAM to a space called a paging file or segmentation on hard disk.
· Moving data to and from the paging file frees up RAM to complete its
· Thus, Virtual memory is an allocation of hard disk space to help RAM.
(Q. Difference between cache memory and virtual memory Nov 15)
D. Secondary Memory:
· Primary memory storage capacity is limited, expensive and volatile.
Hence, it is necessary to have secondary storage to hold data and
Programmes permanently.
· These memories are known as secondary storage because these
memories are not directly accessible by CPU. Data in these memories
are transferred through RAM or primary memory.
· Some of the commonly used secondary storage devices are – magnetic
tape drives, magnetic disk drives (Hard disks, floppy disks, etc.), optical
disk drives (CDs, DVDs, Blue ray disks etc.)
Characteristics of secondary storage devices:

a) Non volatile: Content can be stored permanently.

b) Large capacity: These are available in large size ex: Hard disk

c) Low cost: The cost of this type of memory is lower compared to register
or RAM.
d) Slow speed: Slower in speed compared to registers or RAM.
7. Explain output devices.

· Computers provide output to decision makers at all levels of an enterprise

to solve business problems.
· The desired output may be text, graphics or video information. Output
devices can be used to view the output in Hard copy form and Softcopy
· Output devices are devices through which system responds.
· Various types of Output Devices are:
§ Textual output comprises of characters that are used to create words,
sentences, and paragraphs.

: 83 :
§ Graphical outputs are digital representations of non-text information such as
drawings, charts, photographs, and animation.
§ Tactile output such as raised line drawings may be useful for some
individuals who are blind.
§ Audio output is any music, speech, or any other sound.
§ Video output consists of images played back at speeds to provide the
appearance of full motion.
· Examples of output devices: Screen, Printer, Speaker etc.

8. Define the term Software. Write about different types of Software.

· Software is a programme or a set of programs.

· It is used to describe the instructions that tell the hardware how to perform a
task. Without software, hardware cannot do any work.
There are basically two types of software’s:
1. Operating system’s software
2. Application software

9. Write about Operating System Software in detail.

· O/S is a set of computer Programs that manages computer hardware

resources and acts as an interface with computer applications Programmes.
· Application programs usually require an operating system to function that
provides a convenient environment to users for executing their programs.
· Some prominent Operating System in use now a days are Windows 7,
Windows 8, Linux, Unix etc.
A variety of activities are executed by Operating Systems which include:

· Managing hardware functions: O/S helps in performing hardware tasks such

as obtaining inputs from keyboards and mouse, access of data from hard disk
& display of outputs on monitor. It acts as an intermediary between the
application program and the hardware.
· User Interfaces: O/S provides a user interface for working on a computer. In
earlier day’s command User Interfaces (CUI) were widely used, but today
most of the O/S’s are Graphic User Interface (GUI) which uses icons &
menus for executing activities on a computer in a user friendly manner. So,
how we interface with our system will be provided by O/S.
· Memory Management: Allow controlling how memory is accessed and
maximize available memory & storage. OS also provides Virtual Memory by
improving the capacity of RAM. (Nov 16)
· Task Management: O/S can execute many tasks simultaneously and it
maintains track of resources used by multiple jobs / tasks being executed
simultaneously. In case of multitasking, O/S Helps in allocating resources to
make optimum utilization of resources. This facilitates a user to work with
more than one application at a time.
· Networking Capability: O/S Provide many features & capabilities to help
connect computer networks. Like Linux & Windows 8 give us an excellent
capability to connect to internet.
: 84 :
· Logical access security: It provides logical security by establishing a
procedure for identification & authentication using a User ID and Password.
It can log the user access thereby providing security control.
· File management: O/S does efficient file management by allowing users to
give appropriate name to file and provide folders or directories for file
management. It keeps a track of where each file is stored and who can access
(Q: What is operating system and various activities performed by O/S)

10. Define the term Application Software? Mention briefly the different types of
application software. (PM) (Nov 15)

Software which is used to perform a specific task is called as an Application

Software. It helps users to solve real life problem such as banking, stock trading

The different types of application software are:

· Application Suite: Has multiple applications bundled together. Related

functions, features and user interfaces interact with each other. E.g. MS Office
2010 which has MSWord, MS Excel, MS Access, etc.
· Enterprise Software: This type of software helps to manage enterprise’s
resources in an integrated manner. E.g. ERP Applications like SAP.
· Enterprise Infrastructure Software: Provides capabilities required to
support enterprise software systems. E.g.: email servers, Security
· Information Worker Software: Addresses individual needs required to
manage and create information. E.g. Spreadsheets, CAAT (Computer
Assisted Audit Tools), etc.
· Content Access Software: Used to access and publish the digital and
multimedia content. E.g. Media Players, Adobe Digital etc.
· Educational Software: Holds contents adopted for use by students. E.g.
Examination Test CDs
· Media Development Software: Addresses individual needs to generate and
print electronic media for others to consume. E.g. Desktop Publishing, Video
Editing etc.
11. Explain its advantages and disadvantages of Application software.

Benefits of Application Software:

· Addressing User needs: The main advantage is that it meets the exact
needs of the user since it is designed specifically with one purpose / specific
purpose in mind.
· Less threat from virus: The threat of viruses invading custom-made
applications is very small, since any business that incorporates it can restrict
access and can come up with means to protect their network as well.

: 85 :
· Regular updates: Licensed application software gets regular updates from
the developer for security reasons. Additionally, the developer also regularly
sends personnel to correct any problems that may arise from time to time.
· Development is costly: Developing application software designed to meet
specific purposes can prove to be quite costly for user / organization.
· Infection from Malware: If application software is used commonly by many
people and shared online, it carries a highly real threat of infection by a
computer virus or other malicious programs.
12. What are the major areas of computers based applications or
Application areas of Computer based application

1. Inventory Management
(Stores Management)
· The inventory management system is designed with a view to keeping
track of materials in the stores.
· It is used to regulate the following aspects of inventory:
§ Maximum and minimum level of stocks
§ Raising alarm at danger level stock of any material
§ Give timely alerts for re-ordering of materials with optimal re-order
2. Production (Manufacturing)
· The objective of this subsystem is to optimally deploy men, machines
and materials to maximize production or service.
· The system generates production schedules and schedules of material
· It monitors the product quality and also helps in overhead cost control
and waste control.
3. Marketing and Sales
· The objective of this subsystem is to maximize sales and ensure
customer satisfaction.
· The marketing system increases the chances of order procurement by
facilitating the marketing of products of the company, and facilitating
creating of new customers and advertising of products.
· The sales department may use the system to keep status and track of
orders and generate bills for the orders executed and delivered to the

4. Finance and Accounting

· The main goal of this system is to ensure financial viability of the organization,
enforce financial discipline and plan and monitor the financial budget.
· It helps forecasting revenues, determining the best resources and uses of
funds and managing other financial resources.
5. Human Resources Management

: 86 :
· Human resource is the most valuable asset for an organization.
Utilization of this resource in most effective and efficient way is an
important function for any enterprise. Human resource management
system aims to achieve the goal of less disputes and right utilization of

13. Define the terms Database, Database Management System (DBMS).

Data is very crucial resources for an organization and for smooth functioning of
organization it is necessary that this data should be managed very effectively. Like
Banks, Insurance companies, Stock exchanges etc. the data is the key asset and
any loss to data or mismanagement of data may result in economic and reputation
Data: Data represents the facts and figures such as name, address, age, numbers
A Database is a collection of related data.
DBMS: A DBMS is a collection of Programs that enables users to create and
maintain a database and facilitates the processes of defining, constructing, and
manipulating databases for various applications.

14. Explain the major objectives of the organization while using DBMS and
operations performed by DBMS?

DBMS can be used to solve the following objectives.

· Know the information needs
· Acquiring the needed information
· Organizing the acquired information in a meaningful way
· Assuring information quality
· Providing software tools so that users in the enterprise can access
information they require.
The following operations can be performed on Database.
· Adding new files to database
· Deleting existing files from database
· Inserting data in existing files
· Modifying data in existing files
· Deleting data in existing files
· Retrieving or querying data from existing files.
Commercially available Data Base Management Systems are Oracle, My SQL,
SQL Servers and DB2 etc.

15. Explain hierarchy of database

Hierarchy of Database:

· Database: This is a collection of Files.

: 87 :
· File: This is a collection of Records.
· Record: This is a collection of Fields.
· Field: This is a collection of Characters.
· Characters: These are a collection of Bits.
Q: List four phases of evolution in the Hierarchy of Database modeling (Nov 16)

16. What is database model. Discuss its various types. (PM)

Database model is a data model which provides logical structure of database
i.e. how data records and files will be arranged in the database.
There are four database models or database structures;

· Hierarchical Database Model

· Network Database Model
· Relational Database Model
· Object oriented Database Model

17. Explain the Hierarchical Database Model in detail. (PM)

a) A hierarchically structured database is arranged logically in an inverted

tree pattern.
b) All records in hierarchy are called nodes. Each node is related to the
others in a parent-child relationship. For example: Arranging data for
accounts for companies as – under company make primary Accounts such
as Fixed Assets, Current Assets and then Ledger records under these
primary accounts.
c) Each parent record may have one or more child records, but no child
record may have more than one parent record. The top parent record is
called the root record.
d) Thus, this implements one-to-one and one-to-many relationships.

a) The hierarchy should be pre-determined and implemented and therefore,
they are fixed in structure and are less flexible than other database
b) Adhoc queries can’t be made by the managers.
c) If a particular record has to be traced then tracing will start from the root,
continues downwards until the requisite record is located.

a) When the parent node is deleted, all the child nodes get automatically

: 88 :

18. Explain the Network Database Model in detail. (PM)

a) The network model is able to represent redundancy in data more efficiently

than in the hierarchical model.
b) In network model a relationship is a set. Each set is made of atleast two
types of records. An owner record (Parent in Hierarchical) and a member
record (child in Hierarchical). The difference is network model allows a
record to appear as a member in more than a set.

c) This feature allows the network model to implement the one-to-one, one-to-
many, many-to-one and the many-to-many relationship types.
a) It is a modified version of Hierarchical Data model.
b) It is very difficult to develop this type of database structures.
c) It is useful for one to one, one to many, many to many and many to many
record relationships.
d) The relationships should be pre-determined.
19. Explain the Relational Database Model in detail. (PM)

a) Relational structure is most popular database structure.

b) It stores the data in the form of table. Relation database are powerful
because they require few assumptions on how data would be related and
how data would be extracted.
c) Another important feature of relational structure is that single database can
be spread across several tables. It uses table to organize the data.
d) Each table is equivalent to an entity like employee and each record (row) is
object of application.


: 89 :

A relational database consists of a set of tables, where each table consists a fixed
collection of columns (also called fields). An indefinite number of rows (or records)
occurs within each table. However, each row must have a unique primary key,
which is a sort of name for that particular bundle of data. Above Figure illustrates
relational database structure. As well as having primary keys, tables typically
have some secondary keys. The secondary keys correspond with primary keys in
other tables. For example, in Figure 2, the BOOKS table has secondary keys
AuthorID and PubID. These, in turn, serve as primary keys for the AUTHORS and
PUBLISHERS tables. The idea here is that every BOOKS row has a distinct ISBN
value, each AUTHORS a unique AuthorID, and each PUBLISHERS a unique

As a constraint on the relation between tables, you can state, for example, that for
a row to exist in BOOKS, there must exist a row in PUBLISHERS with the PubID
you want to use in BOOKS. If one publisher can "have" multiple books in this way,
it's called a one-to-many relation. On the other hand, if one author can have
multiple books, and one book can also have multiple authors, it's called a many-to-
many relation. To round things out, you can also define one-to-one relations,
where one primary key must match exactly one secondary key. It is the job of
RDBMSs to enforce just these types of rules.


a) Highly flexible to Programme and retrieve data.
b) It is much easier to use as it uses SQL (structured query language) serves
as uniform interface for creating and manipulating database.
c) Can handle queries in a more efficient way.

a) Storage space requirements are high.
b) Processing efficiency is comparatively low.
c) Requires more processing capacity and memory.
d) Processing can’t be done without establishing the relationships.
20. Explain Object Oriented Database Model in detail. (PM) (Nov 16)

: 90 :
a) The object oriented database model is the latest development in database
technology. In this all the elements of database are modeled as objects and
these objects can be linked together to create entire database structure.
b) Objects are predefined set of program code that is used to perform a
specific task. It is based on the concept of objects and their interactions.
c) An Object-oriented database provides a mechanism to store complex
data such as images, audio and video, etc.
d) An object-oriented database management system (OODBMS) helps
programmers to create objects in a programming language, behave as a
database object.
e) Here, new objects can be created or old objects can be modified, reused or
f) Many engineering applications such as Computer Aided Design (CAD),
Computer Aided Engineering (CAE), Multimedia Systems, Image
Processing Systems and Expert Systems are some of the examples.

21. List out the Advantages and Disadvantages of a DBMS. (PM) (Nov 15)

Major advantages are as follows:

a) Permitting data sharing: One of the advantages is that the same
information can be made available to different users. Ex: Railway
reservation etc.
b) Minimizing Data Redundancy: Duplication of information is carefully
controlled or reduced. Minimizing redundancy can reduce the cost of
storing information on hard drives and other storage devices. Ex: By
creating centralized database or data in linked tables by DBMS, the data
redundancy can be avoided.
c) Integrity can be maintained: Data integrity is maintained with accurate,
consistent, and up-to-date data. Updates and changes to the data only
have to be made in one place in DBMS ensuring Integrity. Ex: E106
cannot enter into loan to employee table until the same E106 exist in
Employee Master.
d) User-friendly: It makes the data access and manipulation easier for the
user. It also reduces the reliance of users on computer experts.
e) Improved security: DBMS provide various security features which can be
used for providing a secured database. Ex: User authentication and Access
f) Faster application development: In DBMS environment the data is
already there in databases, application developer has to think of only the
logic required to retrieve the data in the way a user needs.

Major disadvantages are as follows:

a) Cost: Implementing a DBMS system can be expensive and time-
consuming, especially in large enterprises. Training requirements alone
can be quite costly.
: 91 :
b) Security: Even with safeguards in place, it may be possible for some
unauthorized users to access the database. If one gets access to database
then it could be an all or nothing proposition.

Some related Concepts of Database

22. Explain concept of Big Data
· Big data refers to such massively large data sets that conventional database tools
do not have the processing power to analyze them.
· For example, Walmart must process over one million customer transactions every
· Storing and analyzing that much data is beyond the power of traditional database-
management tools.
· Understanding the best tools and techniques to manage and analyze these large
data sets is a problem that governments and businesses alike are trying to solve.
23. Explain Data Warehouse and its advantages.
Data Warehouse: As organizations, have begun to utilize databases as the center piece
of their operations, the need to fully understand and leverage the data they are collecting
has become more and more apparent.
· However, directly analyzing the data that is needed for day-to-day operations is
not a good idea.
· Further, organizations also want to analyze data in a historical sense.
· How does the data we have today compare with the same set of data this time last
month, or last year?
From these needs arose the concept of the data warehouse.
· The concept of the data warehouse is simple: extract data from one or more of the
organization’s databases and load it into the data warehouse (which is itself
another database) for storage and analysis.
However, the execution of this concept is not that simple.
A data warehouse should be designed so that it meets the following criteria:
§ It uses non-operational data. This means that the data warehouse is using a
copy of data from the active databases that the company uses in its day-to-day
operations, so the data warehouse must pull data from the existing databases
on a regular, scheduled basis.
§ The data is time-variant. This means that whenever data is loaded into the data
warehouse, it receives a time stamp, which allows for comparisons between
different time periods.
§ The data is standardized. Because the data in a data warehouse usually comes
from several different sources, it is possible that the data does not use the same
definitions or units. This process is called Extraction-Transformation-Load
§ There are two primary schools of thought when designing a data
warehouse: Bottom-Up and Top- Down.

: 92 :
· The Bottom-Up Approach starts by creating small data warehouses, called
data marts, to solve specific business problems. As these data marts are
created, they can be combined into a larger data warehouse.
· The Top-Down Approach suggests that we should start by creating an
enterprise-wide data warehouse and then, as specific business needs are
identified, create smaller data marts from the data warehouse.
Benefits of Data Warehouse
· The process of developing a data warehouse forces an organization to better
understand the data that it is currently collecting and, equally important, what
data is not being collected.
· A data warehouse provides a centralized view of all data being collected across
the enterprise and provides a means for determining data that is inconsistent.
· Once all data is identified together, which help organization to compare present
data with historical data.
· By having a data warehouse, snapshots of data can be taken over time. This
creates a historical record of data, which allows for an analysis of trends.
· A data warehouse provides tools to combine data, which can provide new
information and analysis
24. Explain Data Mining:
· Data Mining is the process of analyzing data to find previously unknown
trends, patterns, and associations to make decisions.
· Generally, data mining is accomplished through automated means against
extremely large data sets, such as a data warehouse.
· Some examples of data mining include:
§ An analysis of sales from a large grocery chain might determine that milk is
purchased more frequently the day after it rains in cities with a population of
less than 50,000
§ A bank may find that loan applicants whose bank accounts show particular
deposit and withdrawal patterns are not good credit risks.
25. Write about computer networks or network links.

· It is a collection of computers and other hardware interconnected by

communication channel that allow sharing of resources and information
between connected computers and devices.
· Each component, namely the computer or a hardware device in a computer
network is called a 'Node'.

· Types of Network:
a) Connection Oriented networks: Where in a connection is first
established and then data is exchanged. Example is telephone
networks. This uses a data communication technique known as
circuit switching.

b) Connectionless Networks: Where no prior connection is made

before data exchanges. Data which is being exchanged from sender
: 93 :
to receiver in fact has a complete information of recipient and at
each intermediate destination, it is decided how to proceed further
like it happens in case of postal networks. This uses a data
communication technique known as packet switching. Example is

The following four terms can be considered while transferring data from
Sender to Receiver / Basic issues to be addressed;

a) Routing: It refers to the process of deciding on how to communicate the

data from source to destination in a network.
b) Bandwidth: It refers to the amount of data which can be sent across a
network in given time. It indicates the speed of network communication
and bandwidth is measured in MBPS / GBPS etc.
c) Resilience: It refers to the ability of a network to recover from any kind of
error like connection failure, loss of data etc.
d) Contention: It refers to the situation that arises when there is a conflict for
some common resource. For example, network contention could arise
when two or more computer systems try to communicate at the same time.

26. Write about several benefits of a computer network.

The following are the important benefits of a computer network:

a) Distributed nature of information: Computer networks provide distributed
data processing system wherein information can be distributed
geographically and data can be processed from anywhere. E.g. In the case
of Banking Company, accounting information of various customers could be
distributed across various branches but to make Consolidated Balance
Sheet at the year-end, it would need networking to access information from
all its branches.
b) Resource Sharing: Data could be stored at a central location and
can be shared across different systems. Even resource sharing
could be in terms of sharing peripherals like printers, which are
normally shared by many systems. E.g. In the case of a CBS, Bank
data is stored at a Central Data Centre and could be accessed by all
branches as well as ATMs.
c) Computational Power: The computational power of most of the
applications would increase drastically as computers in network can
use and share each other’s computational power. For example:
processing in an ATM machine in a bank is distributed between ATM
machine and the central Computer System in a Bank, thus reducing
load on both.
d) Reliability: Many critical applications should be available 24x7, if such
applications are run across different systems which are distributed,
across network then the Tenability of the application would be high. E.g.
In a city there could 'be multiple ATM machines so that if one ATM fails,
one could withdraw money from another ATM.
e) User communication: Networks allow users to communicate using e-
mail, newsgroups, video conferencing, etc

: 94 :
27. Explain following terms
· Packet:
§ The fundamental unit of data transmitted over the Internet. When a device intends
to send a message to another device (for example, your PC sends a request to
YouTube to open a video), it breaks the message down into smaller pieces, called
§ Each packet has the sender’s address, the destination address, a sequence
number, and a piece of the overall message to be sent.
· Repeater:
§ A repeater regenerates the signal over the same network before the signal
becomes too weak or corrupted to extend the length to which the signal can be
transmitted over the same network.
§ They do no amplify the signals, however, when the signal becomes weak, they
copy the signal bit by bit and regenerate it at the original strength.
· HUB: Hub is used in LAN for sharing of the network resources such as servers,
LAN workstations, printers, etc.
· Bridges: Bridge is a communications processor that connects numerous Local Area
Networks (LAN). It magnifies the data transmission signal while passing data from
one LAN to another.
· Routers: Router is a communication processor that interconnects networks based
on different rules or protocols. This device also helps to select the best route
(shortest and most reliable route) when there are multiple paths available.
· MAC Address:
§ These are most often assigned by the manufacturer of a Network Interface
Controller (NIC) and are stored in its hardware, such as the card’s read-only
§ If assigned by the manufacturer, a MAC address usually encodes the
manufacturer’s registered identification number.

· Network topology:
§ The geometrical arrangement of computer resources, remote devices, and
communication facilities is known as network structure or network topology.
§ A network structure determines how one computer in the network can
communicate with other computers.
§ Common topologies are;
o Star Network that involves a central unit with number of terminals tied into
o Bus Network in which a single length of wire, cable, or optical fiber (called
bus) connects several computers;
o Ring Network much like a bus network, except the length of wire, cable, or
optical fiber connects to form a loop; and
o Mesh Network in which each node is connected by a dedicated point to
point link to every node.

· Transmission Mode:
§ It determines the direction of data flow from one system to another system in
a communication network.
§ There are three different transmission modes.
o Simplex: In this mode data is transmitted in one direction only.
: 95 :
o Half duplex: It allows data can be transmitted in both the directions but only
one side at a time.
o Full duplex: A full duplex connection can simultaneously transmit and
receive data between two stations.

· Protocols:
§ A protocol is the formal set of rules for error free and reliable data
communications. In a network, there are many devices connected with each other
for exchange of data and information with each other. In order to have a smooth
and correct exchange of information between various connected devices in
network, these devices must adhere to some set of rules and these rules are
known as protocols.
§ Protocols allow heterogeneous computers to talk to each other.
· IP Address:
§ Every device that communicates on the Internet, whether it be a personal
computer, a tablet, a smartphone, or anything else, is assigned a unique
identifying number called an IP (Internet Protocol) address.
§ For example, let’s say the domain has the IP address of
§ Historically, the IP-address standard used has been IPv4 (version 4), currently the
standard which is in use is IPv6 (version 6)

· Domain Name:
§ A Domain Name is a human-friendly name for a device on the Internet.
§ These names generally consist of a descriptive text followed by the toplevel
domain (TLD).
§ For example, Wikipedia’s domain name is; Wikipedia describes the
organization and .org is the top-level domain.
§ In this case, the .org TLD is designed for non-profit organizations.
§ Other well- known TLDs include .com, .net, and .gov.

· Domain Name System (DNS):

§ DNS which acts as the directory on the Internet.
§ When a request to access a device with a domain name is given, a DNS server is
queried. It returns the IP address of the device requested, allowing for proper

· Packet Switching:
§ When a packet is sent from one device out over the Internet, it does not follow a
straight path to its destination.
§ Instead, it is passed from one router to another across the Internet until it is
reaches its destination.
§ In fact, sometimes two packets from the same message will take different routes.

· Wi-Fi:
§ Wi-Fi is the name of a popular Wireless Networking technology that uses radio
waves to provide wireless high-speed Internet and reliable network connections.
§ It has limited range. A typical wireless access point might have a range of 65 ft.
§ The Wi-Fi Alliance defines Wi-Fi products based on the Institute of Electrical and
Electronics Engineers' (IEEE) 802.11 standards.

: 96 :
§ One of the primary places where Wi-Fi is being used is in the home.
§ However, with increase in smart phone sales, Wi-Fi hotspot services are being
provided at various public places to provide better customer service.

· Voice Over IP (VoIP):

§ A growing class of data being transferred over the Internet is Voice Data.
§ A protocol called VoIP enables sounds to be converted to a digital format for
transmission over the Internet and then recreated at the other end.
§ By using many existing technologies and software, voice communication over the
Internet is now available to anyone with a browser (think Skype, Google Hangouts,
Whatsapp calls).

Section 2: Information System Controls

1. Definition of Information Systems Control & its objective.

· Controls are the Policies, Procedures, Practices and Organizational Structures,
Designed to Provide Reasonable Assurance that Business Objectives will be achieved
and that Undesired Events will be Prevented or Detected and Corrected. Controls
pertaining specifically to the Information Systems are referred as Information Systems
· Objective of Controls:
§ The objective of controls is to reduce or if possible eliminate the causes of the
exposure to potential loss.
§ Exposures are potential losses due to threats materializing. All exposures have

2. Effect or Impact of technology on Internal Controls

Following are the impact of Computer / Computerized environment on Internal Control.
· Personnel: Skilled / trained employees are considered as a form of preventive
control. Whether or not staff is trustworthy, if they known what they are doing &, if
they have the appropriate skills & training to carry out their jobs to a competent

· Segregation of duties: Segregation of duties is required to ensure that a single

employee or group cannot put through a complete transaction. In computerized
environment this is achieved by enabling role based access / restricting access
Apart from the segregation at the transaction level, it is important to have the same
even at the job definition level for IT staff i.e. system developers cannot initiate
system maintenance activity.

3. What are the different Information Systems Control Techniques / Categorization of

IS Controls
Internal controls can be classified into various categories as under,
Categorization based on Categorization based on Categorization based on
Objective Nature of IS Resource Audit Function

: 97 :
Preventive controls Environmental Managerial Controls

Detective controls Physical Access Application Controls

Corrective controls Logical Access
Compensatory controls

4. Explain preventive controls and its characteristics.

Preventive controls: (PM)
· Detect problems before they arise.
· Attempt to predict potential problems before they occur & make adjustments.
· Prevent an error, omission or malicious act from occurring.
· Ex: Proper training, job definition & segregation of duties, physical & logical access
control, firewalls.

Characteristics of Preventive Controls

· Understanding vulnerabilities of the asset is required
· Understanding of probable threats is required
· Provision of necessary controls for preventing probable threats from materializing and
exploiting the vulnerabilities.

5. Explain detective controls and its characteristics.

Detective controls:
· Are designed to detect errors, omissions or malicious acts that occur and report the
· Ex: Hash totals, CCTV, Review of Audit logs, BRS.
Characteristics of Detective Controls
· Clear understanding of lawful activities so that anything which deviates from these
is reported as unlawful, malicious, etc.
· An established mechanism to refer the reported unlawful activities to the appropriate
person or group
· Interaction with the preventive control to prevent such acts from occurring
6. Explain corrective controls and its characteristics.

Corrective controls
· Are designed to reduce the impact or correct an error once it has been detected.
· Ex: Cleaning a file detected to contain virus, data backups, stand by server, failover
networks etc. (Business continuity plan)

Characteristics of Corrective Controls

· Minimize the impact of the threat
· Correct error arising from a problem
· Feedback from preventive and detective controls
· Modify the processing systems to minimize future occurrences of the problem.

7. Explain compensatory controls

: 98 :

While ideally the organization would like to implement a primary control. Due to various
constraints like technology, cost etc. they may not be able to do so. In such
circumstances it is advisable to implement compensatory controls which can be defined
as “compensatory controls reduce the risk of the original / primary controls not
being in place.” They do not replace the original controls & are not as effective as the
original controls.

8. Explain environmental controls

Environmental Controls: These are the controls relating to IT environment such as

power, air-conditioning, Uninterrupted Power Supply (UPS), smoke detection, fire-
extinguishers, dehumidifiers etc.

Fire Damage:

1. Hand-Held Fire Extinguishers

· Fire extinguishers should be in calculated locations throughout the area. They should
be tagged for inspection and inspected at least annually.

2. Manual Fire Alarms

· Hand-pull fire alarms should be purposefully placed throughout the facility. The
resulting audible alarm should be linked to a monitored guard station.

3. Fire Suppression Systems

· These alarms are activated when extensive heat is generated due to fire. Like smoke
alarms they are designed to produce audible alarms when activated and should be
regularly monitored. In addition to precautionary measures, the system should be
segmented so that fire in one part of a large facility does not activate the entire

4. Smoke Detectors
· Smoke detectors are positioned at places above and below the ceiling tiles.
· Upon activation, these detectors should produce an audible alarm and must be linked
to a monitored station {for example a fire station).

5. Regular Inspection by Fire Department

· An annual inspection by the fire department should be carried out to ensure that all fire
detection systems act in accordance with building codes. Also, the fire department
should be notified of the location of the computer room, so it should be equipped with
tools and appropriate electrical fires.

6. Fireproof Walls, Floors and Ceilings surrounding the Computer Room

· Information processing facility should be surrounded by walls that should control or
block fire from spreading. The surrounding walls should have at least a more than one-
two-hour fire resistance rating.
: 99 :

7. Strategically Locating the Computer Room

· The reduce the risk of flooding, the computer room should not be located in the
basement of a multi-storied building. Studies reveal that the computer room located in
the top floor are less prone to the risk of fire, smoke and water.

8. Wiring Placed in Electrical Panels and Conduit

· Electrical fires are always a risk. To reduce the risk of such a fire occurring and
spreading, wiring should be placed in the fire resistant panels and conduit. This
conduit generally lies under the fire-resistant raised computer room floor.

Power Spikes:

9. Electrical Surge Protectors

· The risk of damage due to power spikes can be reduced to a great extent using
electrical surge protectors.

10. Uninterruptible Power Supply (UPS) / Generator

· A UPS system consists of a battery or gasoline powered generator that interfaces
between the electrical power entering the facility and the electrical power entering the
computer. The system typically cleanses the power to ensure wattage into the
computer is consistent.

11. Emergency Power-Off Switch

· When there arises a necessity of immediate power shut down during emergency
situations a two emergency power-off switch one at computer room and other near but
outside the computer room would serve the purpose.

Water Damage:

12. Water Detectors

· Water detectors should be present near any unattended equipment storage facilities.
· When activated, the detectors should produce an audible alarm that can be heard by
security and control personnel.

13. Some of the other major ways of protecting the installation against water damage are
as follows:
· Wherever possible have waterproof ceilings, walls and floors;
· Ensure an adequate positive drainage system exists;
· Install alarms at strategic points within the installation;
· In flood areas have the installation above the upper floors but not at the top floor;
· Water proofing; and
· Water leakage Alarms.

Pollution damage and others:

: 100 :

14. Power Leads from Two Substations

· Electrical power lines that are exposed to many environmental dangers - such as
waters fire, lightning, cutting due to careless digging etc. To avoid these types of
events, redundant power links should feed into the facility. Interruption of one power
supply does not adversely affect electrical supply.

15. Prohibitions Against Eating, Drinking and Smoking within the Information
Processing Facility
· These things should be prohibited from the information processing facility. This
prohibition should be clear, e.g. a sign on the entry door.

16. The major pollutant in a computer installation is dust. Dust caught between the
surfaces of magnetic tape / disk and the reading and writing heads may cause either
permanent damage to data or read/ write errors.

9. Explain various physical access control techniques

· Physical access controls are designed to protect the organisation from

unauthorized access or in other words, to prevent illegal entry.

1. Door Locks: (PM)

· Cipher locks (combination door locks): Which works on numbers of
combinations, lock consists of a push button panel that is mounted near the door
outside of secured area. There are ten numbered buttons on the panel. To enter
a person presses a four digit numbers sequence & the door will unlock for a
predetermined period. (can include bio-metric as well)
· Bolting door locks: Which operate with a special metal key.
· Electronic door locks: Which works based on card swipe or proximity card
which involves issuing cards to users with authorization privileges embedded in
the card. This is a superior method compared to other methods as it facilities
easy user access management & restriction or deactivation can be centrally

2. Physical Identification Medium:

· Personnel identification numbers (PIN): A secret number will be assigned to
the individual in conjunction with some means of identifying the individual,
servers to verify the authenticity of the individual. The visitor will be asked to log
on by inserting a card in some device & then enter their PIN via a PIN keypad for
authentication. His entry will be matched with the PIN numbers available in the
security database.
· Plastic cards: These cards are used for identification purposes. Controls over
card seek to ensure that customers safeguard their card so it does not fall into
unauthorized hands.
· Identification Badges: Special identification badges can be issued to personnel
as well as visitors
: 101 :
§ Sophisticated photo of IDs can also be utilized as electronic card keys.
§ Issuing accounting for and retrieving the badges administrative prices that
must carefully controlled.

3. Logging on utilities:
· Manual logging:
§ All visitors should be prompted to sign a visitor’s log indicating their name,
company represented, their purpose of visit & person to see.
§ Logging may happen at both the front reception & entrance to the computer
§ A valid & acceptable identification such as driver’s license, business card or
vendor identification tag may also be asked for before gaining entry inside the
· Electronic logging: This feature is a combination of electronic & biometric
security system. The users logging in can be monitored & the unsuccessful
attempts being highlighted.

4. Other means of controlling physical Access:

· Video cameras: Cameras strategically located & footage monitored at security
station. The footage is retained for a period of time for future playback.
· Security Guards: Physical monitoring of visitors accessing the facilities.
· Controlled visitors access: All visitors are escorted by employee - through the
organization & until they leave the organization.
· Bonded personnel: A NDA or bond needs to be executed by all service or
contract staff - to reduce the risk arising out of financial exposures.
· Computer terminal locks: These locks ensure that the device to the desk is not
turned on or disengaged by authorized persons.
· Controlled Single Point Entry: The physical entry point should be only one so
that it is easy to monitor.
· Perimeter fencing: Fencing at boundary of the facility
· Alarm System: Illegal entry can be avoided by linking alarm system to inactive
entry point motion detectors and the reverse flows of enter or exit only doors, so
as to avoid illegal entry. Security personnel should be able to hear the alarm when

10. What are logical Access controls.

· Computer based access controls are called logical access controls.
· Logical access controls are the system based mechanism used to designate:
who or what to have access to a specific system resource & the type
transaction & functions that are permitted.

11. Explain logical access violators

: 102 :
Logical Access Violators are often the same people who exploit physical exposures,
although the skills needed to exploit logical exposures are more technical and complex.
They are mainly:
· Hackers: Hackers try their best to overcome restrictions to prove their ability.
· Employees (authorized or unauthorized);
· IS Personnel: They have easiest to access to computerized information since
they come across to information during discharging their duties. Segregation of
duties and supervision help to reduce the logical access violations;
· Former Employees: should be cautious of former employees who have left the
organization on unfavorable terms;
· End Users; Interested or Educated Outsiders; Competitors; Foreigners; Organized
Criminals; Crackers; Part-time and Temporary Personnel; Vendors and
consultants; and Accidental Ignorant – Violation done unknowingly.

12. What are the different types of Logical access exposures / threats.

1. Technical exposure
Technical exposures include unauthorized implementation or modification of data and
software. Technical exposures include the following:

i) Data Diddling:
Data diddling involves the change of data before or as they are entered into
the system. A limited technical knowledge is required to data diddle and the
worst part with this is that it occurs before computer security can protect data.

ii) Logic Bombs: (PM)

Malicious codes planted into a computer program which would trigger on the
logic being satisfied.
Ex: If Income is 1,80,000/- delete all data.
iii) Time Bombs: (PM)
Malicious codes planted into a computer program which be triggered on
particulars data or time as set.
Ex: If date is 29th feb delete all data.

iv) Trojan horse: (PM)

A malicious program hidden inside a ultimate program causing illegitimate
action. It may be password stealing Trojan or modify records in files or allow
access to unauthorized user. They are difficult to detect.

v) Worms: (PM)
· A worm is a program that resides into the computer’s memory & replicates
into areas of idle memory.
· Worm systematically occupies idle memory until the memory is exhausted &
the system fails. Limited in damage, as the network traffic they generate
grows so experientially they that can quickly identified & blocked.
· Worm is similar to virus in terms of self replication.

vi) Rounding down:

Refers to rounding small fraction of a denomination down & transferring the
small fractions into the unauthorized account ex.21,23,560.59 a becomes
: 103 :

vii) Salami Technique

Refers to slicing of small amounts of money from a computerized transaction
or account.
Ex: 21,23,560.59 becomes 21,23,560.50 or 21,23,560.00

viii) Trapdoors:
· System programmers insert code (in program) which compromises the usual
controls, but only with a positive objective.
· EX: For program debugging – used by developer / maintenance staff.
· These codes are generally removed after the activity. But, when they are not
removed they may become reason for compromise.

2. Asynchronous Attacks (PM)

They occur in many environments where data can be moved asynchronously across
telecommunication lines. Numerous transmissions must wait for the clearance of the
line before data being transmitted. Data that are waiting to be transmitted are
liable to unauthorized access called asynchronous attack.

There are many forms of asynchronous attacks.

i) Data Leakage:
Stealing information from computers by unauthorized copy into external media like
CDS, USB Storage etc. or taking print outs of reports.
ii) Subversive Threats: Subversive attacks can provide intruders with important
information about messages being transmitted and the intruder can manipulate
these messages in many ways.

iii) Piggybacking:
· This is the act of electronically attaching to an authorized telecommunication link /
authorized user through a secured door or through on authorized
telecommunication link.
· Ex: When a user logged into an website an authorized user follows & enters.
After an authorized user has physically entered an information processing facility,
an unauthorized user follows when the door is yet to close.
iv) Wire-tapping:
This involves spying on information being transmitted over telecommunication

13. List few logical access control measures.

Logical access controls serve as one of the means of information security. The purpose
of logical access controls is to restrict access to information assets/resources.
They are expected to provide access to information resources on a need to know and
need to do basis using principle of least privileges.

Following are logical access controls.

· User Access Management:
§ User registration: Information about every user is documented. The following
: 104 :
questions are to be answered : Why is the user granted the access? Has the
data owner approved the access?
§ Privilege management: Access privileges are to be aligned with job
requirements and responsibilities.
§ User password management: Allocations, storage, revocation, and reissue of
password are password management functions. Educating users is a critical
component about passwords, and making them responsible for their password.
§ Review of user access rights: A user's need for accessing information
changes with time and requires a periodic review of access rights to check
anomalies in the user's current job profile, and the privileges granted earlier.

· User responsibilities:
§ Password use: Mandatory use of strong passwords to maintain confidentiality.
§ Unattended user equipment: Users should ensure that none of the
equipment under their responsibility is ever left unprotected. They should also
secure their PCs with a password, and should not leave it accessible to others.

· Network Access Control:

§ Firewall:
Ø They provide perimeter security to the organizations network from the
external networks. It enforces access controls between two networks.
Ø All traffic between the outside network & the organization intranet should
pass through the firewall. The firewall has a rule based access list as per
the security policy which decides the permitted traffic between the
organizations intranet & the outside networks.
Ø Firewall does not allow data packets entry to private network server from
unauthorized users, sources and with malicious content.

§ Enforced path: Based on risk assessment, it is necessary to specify the exact

path or route connecting the networks; say for example internet access by
employees will be routed through a firewall. And to maintain a
hierarchical access levels for both internal and external user logging.
§ Encryption:
Ø In this technique data to be transmitted is converted into secret form from
normal form.
Ø Sender converts the original message known as clear text into a coded
equivalent known as cipher text. This cipher text is transmitted over
communication channel. If any hacker gains access to this text, the
hacker will not be able to understand the cipher text. This cipher text is
again converted back into clear text by receiver by using a decryption
Ø Two general approaches are used for encryption viz. Private key
encryption & Public key encryption.
§ Call Back Devices:
Ø It is based on the principle that the key to network security is to keep the
intruder off the Intranet rather than imposing security measure after the
criminal has connected to the intranet.

: 105 :
Ø The call- back device requires the user to enter a password and then the
system breaks the connection.
Ø If the caller is authorized, the call back device dials the caller’s number to
establish a new connection.
Ø This limits access only from authorized terminals or telephone numbers
and prevents an intruder masquerading as a legitimate user.
§ Policy on use of network services: An enterprise wide applicable network /
internet policy should be there. Selection of appropriate services and approval
to access them will be part of this policy.

· Operating System Access Control:

§ Terminal log-on procedures: This is the key security feature provided by
operating system which helps to prevent unauthorized access. It allows only
authorized users to access the computer system by validating user’s ID and
§ Access control list: User ID and passwords are compared with access control
list and if matches user is granted access.
§ Access Token: If user’s long-in is successful then operating system creates
access token that contain key information about users such as ID, password,
user group and access rights granted to user. Access token remains valid for a
particular session and it keeps all the events information of that session in log
§ Password management system: An operating system could enforce
selection of good passwords. Internal storage of password should use
one-way encryption algorithms and the password file should not be
accessible to users.
§ Terminal time out: Log out the user if the terminal is inactive for a defined
period. This will prevent misuse in absence of the legitimate user.
§ Limitation of connection time: Define the available time slot. Do not allow
any transaction beyond this time period. For example, no computer access
after 8.00 p.m. and before 8.00 a.m.—or on a Saturday or Sunday.

· Application and Monitoring System Access Control:

§ Information access restriction: The access to information is prevented by
application specific menu interfaces, which limit access to system function. A
user is allowed to access only to those items, s/he is authorized to access.
Controls are implemented on the access rights of users, For example, read,
write, delete, and execute.
§ Sensitive system isolation: Based on the criticality of system in an enterprise
it may even be necessary to run the system in an isolated environment.
§ Event logging: In Computer systems it is easy and viable to maintain
extensive logs for all types of events. It is necessary to review if logging is
enabled and the logs are archived properly.
§ Monitor system use: Based on the risk assessment a constant monitoring of
some critical system is essential.

: 106 :
· Mobile Computing:
§ Theft of data carried on the disk drives of portable computers is a high risk
factor. Both physical and logical access to these systems is critical.
Information is to be encrypted and access identifications like fingerprint,
eye-iris etc. are necessary security features.

Classification on the basis of “Audit Functions”

Auditors might choose to factor systems in several different ways. Auditors have found
two ways to be especially useful when conducting information systems audits. These are
discussed below:

(A) Managerial Controls: In this part, we shall examine controls over the managerial
controls that must be performed to ensure the development, implementation,
operation and maintenance of information systems in a planned and
controlled manner in an organization. The controls at this level provide a stable
infrastructure in which information systems can be built, operated, and maintained
on a day-today basis as discussed in following table;

Management Description of Control


Top Top management must ensure that information systems function is

well managed. It is responsible primarily for long – run policy
Management decisions on how Information Systems will be used in the

Information IS management has overall responsibility for the planning and control
of all information system activities. It also provides advice to top
management in relation to long-run policy decision making and
Management translates long-run policies into short-run goals and objectives.

Systems Systems Development Management is responsible for the design,

Development implementation, and maintenance of application systems.


Programming It is responsible for programming new system; maintain old systems

and providing general systems support software.

Data Data administration is responsible for addressing planning and control

issues in relation to use of an organization’s data.

Quality It is responsible for ensuring information systems development;

implementation, operation, and maintenance conform to established

: 107 :
Management quality standards.

Security It is responsible for access controls and physical security over the
information systems function.

Operations It is responsible for planning and control of the day-to-day operations

of information systems.

(B) Application Controls: These include the programmatic routines within the
application program code. The objective of application controls is to ensure that data
remains complete, accurate and valid during its input, update and storage. The specific
controls could include form design, source document controls, input, processing and
output controls, media identification, movement and library management, data back-up
and recovery, authentication and integrity, legal and regulatory requirements. Any
function or activity that works to ensure the processing accuracy of the application can be
considered an application control. Necessary controls belonging to this category are
discussed in separate headings.
Application Description of Control


Boundary Comprises the components that establish the interface between the
user and the system.

Input Comprises the components that capture, prepare, and enter

commands and data into the system.

Communication Comprises the components that transmit data among subsystems

and systems.

Processing Comprises the components that perform decision making,

computation, classification, ordering, and summarization of data in the

Database Comprises the components that define, add, access, modify, and
delete data in the system.

Output Comprises the components that retrieve and present data to users of
the system.

1. Explain Managerial controls in details

Managerial Functions Based Controls

(i) Top Management and Information Systems Management Controls: The senior
managers who take responsibility for IS function in an organization face many
challenges. The major functions that a senior manager must perform are as follows:

: 108 :
Ø Planning – determining the goals of the information systems function and the means
of achieving these goals;
· Preparing the plan: This involves the following tasks:
§ Recognizing opportunities and problems that confront the organization in
which Information technology and Information systems can be applied cost
§ Identifying the resources needed to provide the required information
technology and information systems; and
§ Formulating strategies and tactics for acquiring the needed resources.
· Types of plans: Top management must prepare two types of information systems
plans for the information systems function: a Strategic plan and an Operational
plan. The strategic Plan is the long-run plan covering, say, the next three to five
years of operations whereas the Operational Plan is the short-plan covering, say,
next one to three years of operations.
· Role of a Steering Committee: The steering committee shall comprise of
representatives from all areas of the business, and IT personnel. The committee
would be responsible for the overall direction of IT.

Ø Organizing – gathering, allocating, and coordinating the resources needed to

accomplish the goals;
· Resourcing the Information Systems Function: These resources include
hardware, software, personnel, finances and facilities. Adequate funding should be
provided to support the acquisition and development of resources.
· Staffing the Information systems Function: Staffing the Information systems
function involves three major activities - Acquisition of information systems
personnel, Development of information systems personnel through training; and
Termination of information systems personnel.

Ø Leading – motivating, guiding, and communicating with personnel; The purpose of

leading is to achieve the harmony of objectives; i.e. a person’s or group’s objectives
must not conflict with the organization’s objectives.
· Motivating and Leading Information Systems Personnel: Though many
theories exist, however there is no one best way of motivating and guiding all
people and thus the strategies for motivating/leading people need to change
depending upon particular characteristics of an individual person.
· Communicating with IS Personnel: Effective communications are also essential
to promoting good relationships and a sense of trust among personnel.

Ø Controlling – comparing actual performance with planned performance as a basis for

taking any corrective actions that are needed.
· Overall Control of IS function: When top managers seek to exercise overall
control of the information systems function, two questions arise:
§ How much the organization should be spending on the information systems
§ Is the organization getting value for the money from its information systems
· Control of Information System Activities: Top managers should seek to control
the activities on the basis of Policies and Procedures.

(ii) Systems Development Management Controls:

: 109 :
System development includes the activities for developing a new system and system
development processes follow the System Development Life Cycle (SDLC) steps.
Thus, system development controls are mainly controls related to SDLC.

1. System Authorization Activities

· All new systems requests must be properly authorized, to ensure that their economic
and other feasibilities are evaluated.
· As with any transaction, system’s authorization should be formal and in writing.

2. User Specification Activities

· Users must be actively involved in the systems development process.
· User involvement should not be ignored because of a high degree of technical
complexity in the system.
· A user specification document should be created by the joint efforts of the user and
systems professionals.

3. Technical Design Activities

· The technical design activities in the SDLC translate the user specifications into a set
of detailed technical specifications of a system that meets the user’s needs.
· The scope of these activities includes general systems design and detailed
systems design.

4. Program Testing
· All programs must be thoroughly tested before they are implemented.
· The results of the tests are then compared against predetermined results to identify
programming and logic errors.
5. User Test and Acceptance Procedures
· Just before implementation, the individual modules of the system must be tested as a
unified whole.
· A test team comprising user personnel, systems professionals, and internal audit
personnel subjects the system to rigorous testing.
· Once the test team is satisfied that the system meets its stated requirements, the
system is formally accepted by the user departments.
6. Internal Auditor’s Participation
· The internal auditor plays an important role in the control of systems development
activities, particularly in organizations whose users lack technical expertise.
· Auditor’s involvement should be continued throughout all phases of the development
process and into the maintenance phase.

(iii) Programming Management Controls: Program development and implementation is a

major phase within the systems development life cycle. The primary objectives of this
phase are to produce or acquire and to implement high-quality programs. The
program development life cycle comprises six major phases – Planning; Design; Control;
Coding; Testing; and Operation and Maintenance with Control phase running in parallel
for all other phases as shown in the Table below. The purpose of the control phase

: 110 :
during software development or acquisition is to monitor progress against plan and to
ensure software released for production use is authentic, accurate, and complete.

Phase Controls

Planning Techniques like Work Breakdown Structures (WBS), PERT (Program

Evaluation and Review Technique) Charts can be used to monitor
progress against plan.

Design A systematic approach to program design, such as any of the

structured design approaches design is adopted.

Coding Programmers must choose a module implementation and integration

strategy, a documentation strategy (to ensure program code is easily
readable and understandable).

Testing Three types of testing can be undertaken:

• Unit Testing – which focuses on individual program modules;

• Integration Testing – Which focuses in groups of program modules;


• Whole-of-Program Testing – which focuses on whole program.

These tests are to ensure that a developed or acquired program
achieves its specified requirements.

Operation Three types of maintenance can be used –

and Corrective Maintenance – in which program errors are corrected;

Maintenance Adaptive Maintenance – in which the program is modified to meet

changing user requirements; and

Perfective Maintenance - in which the program is tuned to decrease

the resource consumption.

(iv) Data Resource Management Controls: Many organizations now recognize that
data is a critical resource that must be managed properly and therefore, accordingly,
centralized planning and control are implemented. For data to be managed better users
must be able to share data, data must be available to users when it is needed, in the
location where it is needed, and in the form in which it is needed. Further it must be
possible to modify data fairly easily and the integrity of the data be preserved. If data
repository system is used properly, it can enhance data and application system reliability.
It must be controlled carefully, however, because the consequences are serious if the
data definition is compromised or destroyed. Careful control should be exercised over
the roles by appointing senior, trustworthy persons, separating duties to the extent
possible and maintaining and monitoring logs of the data administrator’s and
database administrator’s activities.
: 111 :

The control activities involved in maintaining the integrity of the database is as

· Definition Controls: These controls are placed to ensure that the database always
corresponds and comply with its definition standards.

· Access Controls: Access controls are designed to prevent unauthorized individual

from accessing data. Controls are established in the following manner:
§ User Access Controls: through passwords, tokens and biometric Controls; and
§ Data Encryption: Keeping the data in database in encrypted form.

· Update Controls: These controls restrict update of the database to authorized users
in two ways:
§ By permitting only addition of data to the database; and
§ Allowing users to change or delete existing data.

· Existence/Backup Controls: These ensure the existence of the database by

establishing backup and recovery procedures. Various backup strategies are given
as follows:
§ Dual recording of data: Under this strategy, two complete copies of the database
are maintained. The databases are concurrently updated.
§ Periodic dumping of data: This strategy involves taking a periodic dump of all or
part of the database onto some backup storage medium – magnetic tape,
removable disk, Optical disk etc. The dump may be scheduled.
§ Logging input transactions: This involves logging the input data transactions
which cause changes to the database. Normally, this works in conjunction with a
periodic dump.
§ Logging changes to the data: This involves copying a record each time it is
(v) Quality Assurance Management Controls:

Quality Assurance management is concerned with ensuring that the;

· Information systems produced by the information systems function achieve certain
quality goals; and
· Development, implementation, operation and maintenance of Information systems
comply with a set of quality standards.

The reasons for the emergence of Quality assurance in many organizations are as
· Users are becoming more demanding in terms of the quality of the software they
employ to undertake their work.
· Organizations are undertaking more ambitious information systems projects that
require more stringent quality requirements.
· Organizations are becoming more concerned about their liabilities if they produce
and sell defective software.
· Improving the quality of Information Systems is a part of a worldwide trend among
organizations to improve the quality of the goods and services they sell.

: 112 :
Quality Assurance (QA) personnel should work to improve the quality of information
systems produced, implemented, operated, and maintained in an organization. They
perform a monitoring role for management to ensure that –
· Quality goals are established and understood clearly by all stakeholders; and
· Compliance occurs with the standards that are in place to attain quality information

(vi) Security Management Controls:

Information security administrators are responsible for ensuring that information systems
assets categorized under Personnel, Hardware, Facilities, Documentation, Supplies,
Data, Application Software and System Software are secure. Assets are secure when the
expected losses that will occur over some time are at an acceptable level. The control’s
classification on the basis of “Nature of Information System Resources – Environmental
Controls, Physical Controls and Logical Access Controls (discussed in chapter 3)” are all
security measures against the possible threats.

Some of the major threats and to the security of information systems and their controls
are as discussed following table;
Threat Control

Fire Well-designed, reliable fire-protection systems must be


Water Facilities must be designed and sited to mitigate losses from water

Energy Voltage regulators, circuit breakers, and uninterruptible power

Variations supplies can be used.

Structural Facilities must be designed to withstand structural damage.


Pollution Regular cleaning of facilities and equipment should occur.

Unauthorized Physical access controls can be used.


Viruses and Controls to prevent use of virus-infected programs and to close

Worms security loopholes that allow worms to propagate.

Misuse of Code of conduct to govern the actions of information systems

software, employees.

data and

Hackers Strong, logical access controls to mitigate losses from the activities
of hackers.

However, in spite of the controls on place, there could be a possibility that a control might
fail. When disaster strikes, it still must be possible to recover operations and mitigate
losses using the last resort controls - A Disaster Recovery Plan (DRP) and Insurance.
: 113 :
· DRP: A comprehensive DRP comprise four parts – an Emergency Plan, a Backup
Plan, a Recovery Plan and a Test Plan. The plan lays down the policies, guidelines,
and procedures for all Information System personnel.
· Insurance: Adequate insurance must be able to replace Information Systems assets
and to cover the extra costs associated with restoring normal operations. Policies
usually can be obtained to cover the resources like – Equipment, Facilities, Storage
Media, Valuable Papers and Records etc.

(vii) Operations Management Controls: Operations management is responsible for the

daily running of hardware and software facilities. Operations management typically
performs controls over the functions as below;
· Computer Operations: The controls over computer operations govern the activities
that directly support the day-to-day execution of either test or production systems on
the hardware/software platform available. Three types of controls fall under this
§ Operation controls
§ Scheduling controls
§ Maintenance controls

· Network Operations: This includes the proper functioning of network operations and
monitoring the performance of network communication channels, network devices,
and network programs and files. Data may be lost or corrupted through component
failure. The primary components in the communication sub-systems are given as
§ Communication lines viz. twisted pair, coaxial cables, fiber optics, microwave
and satellite etc.
§ Hardware – ports, modems, multiplexers, switches and concentrators etc.
§ Software – Packet switching software, polling software, data compression
software etc.
Due to component failure, transmission between sender and receiver may be disrupted,
destroyed or corrupted in the communication system.

· File Library: This includes the management of an organization’s machine-readable

storage media like magnetic tapes, cartridges, and optical disks.
· Documentation and Program Library: This involves that documentation librarians
ensure that documentation is stored securely; that only authorized personnel gain
access to documentation; that documentation is kept up-to-date and that adequate
backup exists for documentation. Documentation will include security policy,
BCP/DRP, System development related documents etc.
· Help Desk/Technical support: This assists end-users to employ end-user hardware
and software such as micro-computers, spreadsheet packages, database
management packages etc. and also provides the technical support for production
systems by assisting with problem resolution.
· Capacity Planning and Performance Monitoring: Regular performance monitoring
facilitates the capacity planning wherein the resource deficiencies must be identified
well in time so that they can be made available when they are needed.
· Management of Outsourced Operations: This has the responsibility for carrying out
day-to-day monitoring of the outsourcing contract.

Application Controls

: 114 :
· Application controls deal with exposure or risks with the application in terms of input,
processing and output. For example, banking application, railway application needs
controls for error free inputs, processing and outputs.
· Application Controls can be divided into following major categories / types.
§ Boundary Controls,
§ Input Controls,
§ Process Controls,
§ Output Controls,
§ Database Controls,
§ Communication controls

1. Boundary Controls:
§ Boundary Controls establish interface between the user of the system and the
system itself.
§ The major controls of the boundary system are the Access controls. Access
controls are implemented with an access control mechanism and links the
authentic users to the authorized resources they are permitted to access.
§ The access control mechanism has three steps of “identification”,
“authentication” and “authorization” with respect to the access control
§ Examples of Boundary Control techniques are:
o Cryptography
o Passwords
o Personal Identification Number
o Identification Cards
o Biometric devices
2. Input controls:
· Data collection component of information system is responsible for bringing data into
the system for processing. Input control at this stage ensures that data input is valid,
accurate and complete. Data input can be by either using source document or direct
input (online)
· Input controls are divided into the following broad classes:
§ Source Document Control,
§ Data Coding Controls,
§ Batch controls, and
§ Validation Controls.

(a) Source Document Controls:

· Source documents are major cause of errors and frauds in any accounting system.
The controls must be applied in system which uses source document to input
transaction to ensure error free inputs to system. Organizations must implement
control procedure over source documents to avoid any document fraud.
· The following controls can be exercised for Source Document Control:
§ Use pre-numbered source documents: Source documents should come pre-
numbered from the printer with a unique sequential number on each document.

: 115 :
Source document numbers enable accurate accounting of document usage and
provide an audit trail for tracing transactions through accounting records.
§ Use source documents in sequence: Source documents should be distributed
to the users and used in sequence. This requires the adequate physical security
be maintained over the source document inventory at the user site. When not in
use, documents should be kept under lock and key and access to source
documents should be limited to authorized persons.
§ Periodically audit source documents: Missing source documents should be
identified by reconciling document sequence numbers. Periodically, the auditor
should compare the numbers of documents used to date with those remaining in
inventory plus those voided due to errors. Documents not accounted for should be
reported to management.

(b) Data Coding Controls:

Data Coding Controls are required primarily to check two types of errors which can
corrupt a data code and cause processing errors, i.e. the transcription and
transposition errors.

Transcription Errors: These fall into three classes:

§ Addition errors occur when an extra digit or character is added to the code. For
example, inventory item number 83276 is recorded as 832766.
§ Truncation errors occur when a digit or character is removed from the end of a
code. In this type of error, the inventory item above would be recorded as 8327.
§ Substitution errors are the replacement of one digit in a code with another. For
example, code number 83276 is recorded as 83266.

Transposition Errors: There are two types of transposition errors:

§ Single transposition errors occur when two adjacent digits are reversed. For
instance, 12345 is recorded as 21345.
§ Multiple transposition errors occur when nonadjacent digits are transposed. For
example, 12345 is recorded as 32154.

Controls for Data coding Error:

Addition and Truncation errors can be controlled using fixed length digits code, e.g. 16
digits account number. Substitution and Transposition errors can be controlled by using
check digit control method.

(c) Batch Controls: Batching is the process of grouping together transactions that bear
some type of relationship to each other. Various controls can be exercises over the batch
to prevent or detect errors or irregularities. Two types of batches occur:
• Physical Controls: These controls are groups of transactions that constitute a physical
unit. For example – source documents might be obtained via the email, assembled into
batches, spiked and tied together, and then given to a data-entry clerk to be entered into
an application system at a terminal.

: 116 :
• Logical Controls: These are group of transactions bound together on some logical
basis, rather than being physically contiguous. For example - different clerks might use
the same terminal to enter transaction into an application system. Clerks keep control
totals of the transactions into an application system.

To identify errors or irregularities in either a physical or logical batch, three types of

control totals can be calculated as shown in following Table;
Control Total Explanation

Financial totals Grand totals calculated for each field containing money amounts.

Hash totals Grand totals calculated for any code on a document in the batch,
eg., the source document serial numbers can be totaled.

Document/Record Grand totals for the number of documents in record in the batch.

(d) Validation Controls:

· Input validation controls are used for detecting errors in data before the data is
· Depending upon type of information system, data validation for input may occur at
various points in system. Some at the time of entry and some validations are
performed by each processing module prior to updating the master file record and
some validations are done by back-end database.
· There are three levels of input validation controls:
(i) Field Interrogation
(ii) Record Interrogation
(iii) File Interrogation
(i) Field Interrogation:
· It involves programmed procedures that examine the characters of the data in the
field. The following are some common types of field interrogation. Various field checks
used to ensure data integrity have been described below:
§ Limit Check: This is a basic test for data processing accuracy and may be applied
to both the input and output data. The field is checked by the program against
predefined limits to ensure that no input/output error has occurred or at least no
input error exceeding certain pre-established limits has occurred.
§ Picture Checks: These check against entry into processing of predefined type of
character (incorrect / invalid characters.)
§ Valid Code Checks: Checks are made against predetermined transactions
codes to ensure that input data are valid.
§ Check Digit: One method for detecting data coding errors is a check digit. A
check digit is a control digit (or digits) added to the code when it is originally
assigned that allows the integrity of the code to be established during subsequent
§ Arithmetic Checks: Simple Arithmetic is performed in different ways to validate
the result of other computations of the values of selected data fields. Example:

: 117 :
The discounted amount for 5,000 at 10% discounted may be computed twice by
the following different ways:
5,000 — 5,000 x 10/100 = 4,500 or
Next time again at (4500/(100-10))*100 = 5,000
§ Cross Checks: These may be employed to verity fields appearing in different files
to see that the result tally.

(ii) Record Interrogation:

This includes the following:
§ Reasonableness Check: Whether the value specified in a field is reasonable for
that particular field?
§ Valid Sign: The contents of one field may determine which sign is valid for a
numeric field.
§ Sequence Check: Whether physical records follow a required order matching with
logical records?

(iii) File Interrogation:

· The purpose of file interrogation is to check that correct file is being processed.
· These controls are for master files, which contain permanent records of the firm and
which if destroyed or corrupted are difficult to replace.
§ Version Usage: Proper version of a file should be used for processing. In this
regard it should be ensured that only the most current file be processed.
§ Internal and External Labeling: Labeling of storage media is important to ensure
that the proper files are loaded for process. Where there is a manual process for
loading files, external labeling is important to ensure that the correct file is being
processed. Where there is an automated tape loader system, internal labeling is
more important.
§ Data File Security: Unauthorized access to data file should be prevented, to
ensure its confidentiality, integrity and availability.
§ File Updating and Maintenance Authorization: Sufficient controls should exist
to ensure that only authorized person should make modification / updates to the
files maintained.

3. Processing Controls:

The processing subsystem is responsible for computing, sorting, classifying, and

summarizing data. Its major components are the Central Processor in which programs
are executed, the real or virtual memory in which program instructions and data are
stored, the operating system that manages system resources, and the application
programs that execute instructions to achieve specific user requirements.

(i) Processor Controls: The processor has three components:

(a) A Control unit, which fetches programs from memory and determines their type;
(b) An Arithmetic and Logical Unit, which performs operations; and
(c) Registers, that are used to store temporary results and control information.

: 118 :
Four types of controls that can be used to reduce expected losses from errors and
irregularities associated with Central processors are explained in the Table;
Control Explanation

Error Detection Occasionally, processors might malfunction. The causes could be

design errors, manufacturing defects, damage etc. Various types of
And Correction error detection and correction strategies must be used.

Timing Controls An operating system might get stuck in an infinite loop. In the absence
of any control, the program will retain use of processor and prevent
other programs from undertaking their work.

Component In some cases, processor failure can result in significant losses. In

Replication such cases redundant processors should be there which can perform
the task.

(ii) Real Memory Controls: This comprises the fixed amount of primary storage in which
programs or data must reside for them to be executed or referenced by the central
processor. Real memory controls seek to detect and correct errors that occur in memory
and to protect areas of memory assigned to a program from illegal access by another

(iii) Virtual Memory Controls: Virtual Memory exists when the addressable storage
space is larger than the available RAM. To achieve this outcome, a control mechanism
must be in place that maps virtual memory addresses into real memory addresses.

(iv) Data Processing controls:

· After the input validations, the transactions enter into the processing stage. In
the processing stage, the controls help for correct processing of transactions.
· The processing controls are divided into the following categories.
§ Run-to-run Totals: These help in verifying data that is subject to process through
different stages. For ex: If the current balance of an invoice ledger is 150,000 and
the additional invoices for the period total 20,000 then the total sales value should
be 170,000. A specific record probably the last record can be used to maintain the
control total.
§ Reasonableness Verification: Two or more fields can be compared and cross
verified to ensure their correctness. For example, the statutory percentage of
provident fund can be calculated on the gross pay amount to verify if the provident
fund contribution deducted is accurate.
§ Edit Checks: Edit checks similar to the data validation controls can also be used
at the processing stage to verify accuracy and completeness of data.
§ Field Initialization: Fields are only added to a record after initializing it, i.e. setting
all values to zero/blank before inserting the information. This is done to ensure
that data overflow does not occur, if records are constantly added to a table.

: 119 :
§ Exception Reports: Exception reports are generated to identify errors in the data
processed. Such exception reports give the transaction code and what is the error
in processing the transaction. For example, while processing a journal entry if only
debit entry was updated and the credit entry was not updated due to the absence
of one of the important fields, then the exception report would detail the
transaction code, and why it was not updated in the database.

4. Output Controls:
· These controls ensure that error free output is delivered to authorized users and in a
secured manner.
· Controls can be for different form of outputs (i.e. for printed and display outputs), and
can be for batch processing and online system.
· Some of the key output controls are:
§ Storage and logging of sensitive, critical forms: Pre-printed stationery should
be stored securely and only authorized persons should be allowed access to
stationery supplies such as negotiable instruments etc.
§ Spooling / queuing section: Spool” is an acronym for Simultaneous Peripherals
Operations Online. This is a process used to ensure that the user is able to
continue working, while the print operation is getting completed. When a file is to
be printed, the operating system stores the data stream to be sent to the printer in
a temporary file on the hard disk. This file is then spooled to the printer as soon as
the printer is ready to accept the data. This intermediate storage of output could
lead to unauthorized disclosure and/ or modification. A queue is the list of
documents waiting to be printed on a particular printer; this should not be subject
to unauthorized modifications.
§ Controls over printing: Outputs should be made on the correct printer. Users
must be trained to select the correct printer and access restrictions may be placed
on the workstations that can be used for printing.
§ Report distribution and collection controls: Distribution of reports should be
made in a secure way to prevent unauthorized disclosure of data. It should be
made immediately after printing to ensure that the time gap between generation
and distribution is reduced. A log should be maintained for reports that were
generated and to whom these were distributed. Uncollected reports should be
stored securely.
§ Retention controls: Retention controls consider the duration for which outputs
should be retained before being destroyed. Various factors ranging from the need
of the output, use of the output, to legislative requirements would affect the
retention period.

5. Database controls: (PM)

§ Meaning: These controls are used for protecting integrity of database when
users update database through application software.

§ Database controls categorized into;

i) Update control:

: 120 :
Ø Sequence check when transaction file update the master file to ensure
correct updation.
Ø Ensure all records in the transaction files a processed: While
processing, the transaction file records mapped to the respective master
file, and the end-of-file of the transaction file with respect to the end-of-file
of the master file is to be ensured.
Ø Ensure every transaction records are processed in correct order.
Ø Maintain a suspense account: When mapping between the master
record to transaction record results in a mismatch due to failure; then
these transactions are maintained in a suspense account. A nonzero
balance of the suspense accounts reflects the errors to be corrected.

ii) Report control:

Ø Print Suspense Account Entries: Similar to the update controls, the
suspense account entries are to be periodically monitors with the
respective error file and action taken on time.
Ø Review existence of backup & recovery controls to ensure safe recovery
of data in any adverse situation.

6. Communication Controls:
(a) Physical Component Controls: These controls incorporate features that mitigate the
possible effects of exposures. The Table below gives an overview of how physical
components can affect communication subsystem reliability.
Transmission It is a physical path along which a signal can be transmitted
between a sender and a receiver. It is of two types:
• Guided/Bound Media in which the signals are transported along
an enclosed physical path like – Twisted pair, coaxial cable, and
optical fiber.

• In Unguided Media the signals propagate via free-space emission

like – satellite microwave, radio frequency and infrared.

Communication The reliability of data transmission can be improved by choosing a

private (leased) communication line rather than a public
Lines communication line.

Modem • Increases the speed with which data can be transmitted over a
communication line.

• Reduces the number of line errors that arise through distortion if

they use a process called equalization.

• Reduces the number of line errors that arise through noise.

(b) Line Error Control: Whenever data is transmitted over a communication line, recall
that it can be received in error because of attenuation distortion, or noise that occurs on
the line. These errors must be detected and corrected.
: 121 :
· Error Detection: The errors can be detected by either using a loop (echo) check or
building some form of redundancy into the message transmitted.
· Error Correction: When line errors have been detected, they must then be corrected
using either forward error correcting codes or backward error correcting codes.

(c) Flow Controls: Flow controls are needed because two nodes in a network can differ
in terms of the rate at which they can send, received, and process data. To ensure
proper communication flow controls are required.

(d) Topological Controls: A communication network topology specifies the location of

nodes within a network, the ways in which these nodes will be linked.
· Local Area Network Topologies:
§ They are implemented using four basic types of topologies: (1) bus topology, (2)
Tree topology, (3) Ring topology, and (4) Star topology. Hybrid topologies like the
star-ring topology and the star-bus topology are also used.
· Wide Area Network Topologies:
§ With the exception of the bus topology, all other topologies that are used to
implement LANs can also be used to implement WANs.

(e) Inter networking Controls: Internetworking is the process of connecting two or more
communication networks together to allow the users of one network to communicate with
the users of other networks. Three types of devices are used to connect networks viz.
Bridge, Router, Gateway as shown in following table;

Device Functions

Bridge A bridge connects similar local area networks (e.g. one token ring
network to another token ring network).

Router A router performs all the functions of a bridge. In addition, it can

connect heterogeneous local area networks (e.g. a bus network to a
token ring network).

Gateway Their primary function is to perform protocol conversion to allow

different types of communication architectures to communicate with
one another.

Section 3 - Information Systems Auditing

1. Meaning of IS Auditing & Objectives of IS Auditing

IS Audit is defined as the process of attesting following objectives;

· Asset Safeguarding Objectives: The information system assets (hardware,
software, data information etc.) must be protected by a system of internal controls
from unauthorised access.

: 122 :
· Maintenance of Privacy: Audit of Information Systems ensures that data
collected in a business process are adequately guarded and their privacy is
· System Effectiveness Objectives: Audit of Information Systems ensures
effectiveness of a system is continuously evaluated by auditing the characteristics
and objective of the system to ascertain that it meets substantial user
· System Efficiency Objectives: Control and Audit of Information Systems are
required to optimize the use of various information system resources.

2. Why do we need control & Audit of information system.

Factors which influences implementation of controls and audit.
Following factors are the driving force for controls and audit / Need for IS Control
and Audit
· To prevent Organisational Costs of Data Loss: Audit of Information Systems is
required to protect Data Loss, as data is the most critical resource for an
organisation for its present as well as future development.
· To ensure Correct Decision Making: Audit of Information Systems ensure that
accurate data is available for managers to take high level decisions.
· To control Costs of Computer Abuse: Unauthorised access to computer
systems, computer virusescan lead to destruction of assets (hardware, software,
documentation etc.), and Audit of Information Systems is required to verify such
· To protect Hardware, Software and Personnel: Hardware, Software and
Personnel are critical resources of an organization which has a significant impact
on business competitiveness, and Audit activities support the same.
· To avoid High costs of computer error: In a computerized enterprise
environment where many critical business processes are performed, a data error
during entry or process would cause great damage. Such damage is intended to
be avoided.
3. Explain Audit Documentation.

· According to SA-230, Audit Documentation refers to the record of audit

procedures performed, relevant audit evidence obtained, and conclusions
the auditor reached (terms such as working papers or work papers are also
sometimes used).
· The objects of an auditor’s working papers are to record and demonstrate the
audit work from one year to another.
· Evidences are also necessary for the following purposes:
§ Means of controlling current audit work;
§ Evidence of audit work performed;
§ Schedules supporting or additional item in the accounts; and
§ Information about the business being audited, including the recent history.

: 123 :
· In IS environment, the critical issue is that evidences are not available in physical
form, but are in electronic form. Following is list of actions that auditor needs to
take to address the problems:
§ Use of special audit techniques, referred to as Computer Assisted Audit
Techniques, for documenting evidences.
§ Audit timing can be so planned that auditor is able to validate transactions
as they occur in system.

4. Explain inherent limitations of Audit.

Any opinion formed by the auditor is subject to inherent limitations of an audit, which
§ The nature of financial reporting;
§ The nature of audit procedures;
§ The need for the audit to be conducted within a reasonable period of time and at a
reasonable cost.
§ The matter of difficulty, time, or cost involved is not in itself a valid basis for the
auditor to omit an audit procedure for which there is no alternative or to be
satisfied with audit evidence that is less than persuasive.
§ Fraud, particularly fraud involving senior management or collusion.
§ The existence and completeness of related party relationships and transactions.
§ The occurrence of non-compliance with laws and regulations.
§ Future events or conditions that may cause an entity to cease to continue as a
going concern.

Concurrent & Continuous Audit

1. Why there is a need to use Concurrent Audit technique. What are the different
types of it.

Need for Continuous Audit: On line systems process heavy volume of data and leave
very little audit trails. In such cases evidence gathered after date processing is insufficient for
audit purpose. Also it may be difficult to stop the system in order to perform the audit tests.
Hence there is a need to use concurrent audit techniques i.e. continuous monitoring of
the system to collect audit evidence even while data are being processed in live area.

Types of Audit tools: 1) Snapshot, 2) Integrated Test Facility (ITF), 3) System Control Audit
Review File (SCARF), 4) Continuous & Intermittent Simulation (CIS), 5) Audit hooks

2. Write Short note on Snapshot Technique. (PM)

Snapshot Technique:
· Examines the way transactions are processed.
· Selected transaction points are marked with a special code that triggers a snapshot i.e.
takes a pictures of transactions as they move through an application system.
· The before image and after image is captured to validate the processing.
: 124 :
· Auditor reviews the images to ensure that the processing logic is executed properly, its
authenticity, accuracy and completeness.

Key areas to focus while using snapshots are,

(i) Choosing the right location / points based on materiality of the transactions.
(ii) Deciding on the time of capture.
(iii) Reporting system design and implementation to present data in a meaningful way for the
auditors to understand.

3. Write Short note on Integrated Test Facility (ITF).

Integrated test Facility (ITF):

· A small set of fictitious entities are placed in master file. The entities may be fictitious
division, department or branch office or a customer or a supplier & creates dummy
· These dummy transactions processed along with regular records.
· They don’t affect actual records and employees unaware of the testing taking place.
· The transactions to be tested have to be tagged. The application Software to be
programmed to recognize such transactions and invoke two updates - one for the live
data and another for ITF dummy entries.
· At the end of processing, the system collects ITF records and the processing results.
· The auditor compares with expected results to verify if controls working as desired.
· In such cases the auditor has to decide what would be the method to be used to enter
test data and the methodology for removal of the effects of the ITF transactions.

4. Write Short note on System Control Audit Review File (SCARF).


Syste m Co ntrol a udit review file (SCARF)

· It invol ves embedding audit modules to continuousl y monitor transaction
activi ties which the auditor feels is mat eri al / significant.
· The data dee med i mportant by auditor are recorded in a SCARF fil e. (Say
petty cash payment above Rs. 5000).
· The auditor takes pri ntouts of the SCARF fil e to e xa mine whether any
transactions require follow up.

5. Write Short note on Continuous & Intermittent Simulatio n (CIS).

Continuous & inte rmittent simulatio n (C IS):

Meaning: Thi s is a vari ation of SCA RF Technique. This techni que can be
used to trap exceptions whenever the application system uses a Database
Manage ment Syste m (D BMS).

Working Process:
· Embeds audit modules in a data base manage ment Syste m.

: 125 :
· Once processing logic / condition programmed, CIS Module exa mine s
selected transacti ons. If found significant, it independently processes the
data simil ar to parallel simulati on.
· Compares the result with that of the d atabase & if variations found, details
are captured in an audit l og.
· If serious discrepanci es found, CIS may prevent DBMS fro m e xecuting the
update process.

Ad va ntage: The advantage of CIS is t hat it does not requi re any modificati on
to the application Software yet provides an onli ne auditing capability.

6. Write short note on Audit hooks. (PM)

· There are audit routines that flag suspicious transactions.

· For example, internal auditors at Insurance Company determined that their policyholder
system was vulnerable to fraud every time a policyholder changed his or her name or
address and then subsequently withdrew funds from the policy. They devised a system of
audit hooks to tag records with a name or address change. The internal audit department
will investigate these tagged records for detecting fraud.
· When audit hooks are employed, auditors can be informed of questionable transactions
as soon as they occur.
· This approach of real-time notification displays a message on the auditor’s terminal.

7. Explain Audit Trail.

· Meaning: It refers to recording or logging of activities at the operating system, network,

application software, user & database levels.
· Example: Application logs contain details of who initiated a transaction, who authorized
it, date & time and other related details etc.

Objectives of audit trail:

Ø Detecting unauthorized Access:
This detection can be either real time detection or after the fact detection. Real time
detections are alerts configured to trigger even when unauthorized access is being
attempted. These are very effective but require a lot of processing resources &
monitoring mechanism.
Ex: An unauthorized user trying a user ID-Password wrong three times would be logged
by the system.
Ø Facilitate reconstruction of events:
Logs keep track of events leading to system failures, security violation & processing
errors. These logs help analyze the error condition & prevent future occurrence. Similarly
logs help reconstruct account balances if the files are corrupted.
Ø Fixing accountability: Using logs user’s activity can be monitored & this acts as a
deterrent against unauthorized access or policy violations by users.

: 126 :
[Q. Explain three major ways by which audit trails can be used to support security
objective. [PM]

Section 4: Audit of controls

1. Explain role of Auditor in Audit of Environmental Controls

§ Audit of environmental controls requires the IS auditor to conduct physical inspections
and observe practices.
§ Auditing environmental controls requires attention to these and other factors and
activities, including:
§ Power conditioning: The IS auditor should determine how frequently power
conditioning equipment, such as UPS, line conditioners, surge protectors, or motor
generators, are used, inspected and maintained and if this is performed by
qualified personnel.
§ Backup power: The IS auditor should determine if backup power is available via
electric generators or UPS and how frequently they are tested. He or she should
examine maintenance records to see how frequently these components are
maintained and if this is done by qualified personnel.
§ Heating, Ventilation, and Air Conditioning (HVAC): The IS auditor should
determine if HVAC systems are providing adequate temperature and humidity
levels, and if they are monitored. Also, the auditor should determine if HVAC
systems are properly maintained and if qualified persons do this.
§ Water detection: The IS auditor should determine if any water detectors are used
in rooms where computers are used. He or she should determine how frequently
these are tested and if they are monitored.
§ Fire detection and suppression: The IS auditor should determine if fire detection
equipment is adequate, if staff members understand their function, and if they are
tested. He or she should determine how frequently fire suppression systems are
inspected and tested, and if the organization has emergency evacuation plans and
conducts fire drills.
§ Cleanliness: The IS auditor should examine data centers to see how clean they
are. IT equipment air filters and the inside of some IT components should be
examined to see if there is an accumulation of dust and dirt.

2. Explain role of Auditor in Audit of Physical Controls

Auditing physical security controls requires knowledge of natural and manmade

hazards, physical security controls, and access control systems.
· This involves the following:
§ Assessing the risks associated with the assets, the threats & vulnerabilities.
§ Review of existing controls in place & its adequacy.
§ Planning the audit by review of documents like security policy, layout plan of
facilities, list of inventory etc.

Following controls to be reviewed;

: 127 :
· Sitting and Marking: Auditing building sitting and marking requires attention to
several key factors and features, including:
§ Proximity to hazards: The IS auditor should estimate the building’s distance to
natural and manmade hazards, such as Dams; Rivers, Natural gas and petroleum
pipelines; Flood zones; Military bases.
§ Marking: The IS auditor should inspect the building and surrounding area to see if
building(s) containing information processing equipment identify the organization.
Marking may be visible on the building itself, but also on signs or parking stickers
on vehicles.
· Physical barriers: This includes fencing, walls, barbed/razor wire, bollards, and
crash gates. The IS auditor needs to understand how these are used to control
access to the facility and determine their effectiveness.
· Surveillance: The IS auditor needs to understand how video and human
surveillance are used to control and monitor access. He or she needs to understand
how (and if) video is recorded and reviewed, and if it is effective in preventing or
detecting incidents.
· Guards and dogs: The IS auditor needs to understand the use and effectiveness of
security guards and guard dogs.
· Key-Card systems: The IS auditor needs to understand how key-card systems are
used to control access to the facility like How key-card are issued, to whom it is
issued etc.

3. Explain role of Auditor in Audit of Logical Access Controls

(A) User Access Controls:

User access controls are often the only barrier between unauthorized parties and
sensitive or valuable information. This makes the audit of user access controls
particularly significant. Auditing user access controls requires keen attention to several
key factors and activities in four areas:
1. Auditing User Access Controls: These are to determine if the controls them-selves
work as designed. Auditing user access controls requires attention to several factors,
· Authentication: The auditor should examine network and system resources to
determine if they require authentication, or whether any resources can be
accessed without first authenticating.
· Access violations: The auditor should determine if systems, networks, and
authentication mechanisms can log access violations. These usually exist in
the form of system logs showing invalid login attempts when any unauthorized
user tries to log in.
· User account lockout: The auditor should determine if systems and networks
can automatically lock user accounts that are the target of attacks. For ex: lock a
user account after five unsuccessful logins attempts within a short period.
· Dormant accounts: The IS auditor should determine if any automated or manual
process exists to identify and close dormant (unused) accounts.

: 128 :
· Shared accounts: The IS auditor should determine if there are any shared user
accounts by more than one person. The principal risk with shared accounts is
the inability to determine accountability for actions performed with the account.

2. Auditing Password Management: Auditing password management requires

attention to several key technologies and activities, including the following:
· Password standards: The IS auditor needs to examine password
configuration settings to areas like how many characters must a password
have and whether there is a maximum length; how frequently must passwords be
changed; whether former passwords may be used again; whether the password
is displayed when logging in or when creating a new password etc.

3. Auditing User Access Provisioning: Auditing the user access provisioning process
requires attention to several key activities, including:
· Access request processes: The IS auditor should determine that all user
access request processes are used consistently throughout the organization.
· Access approvals: The IS auditor needs to determine how requests are
approved and by what authority they are approved.
· New employee provisioning: The IS auditor should examine the new
employee provisioning process to see how a new employee’s user accounts
are initially set up.
· Segregation of Duties (SOD): The IS auditor should determine if the
organization makes any effort to identify segregation of duties. This may include
whether there are any SOD procedures in existence and if they are actively
used to make user access request decisions.
· Access reviews: The IS auditor should determine if there are any periodic
access reviews and what aspects of user accounts are reviewed; this may
include termination reviews, internal transfer reviews, SOD reviews, and dormant
account reviews.

4. Auditing Employee Terminations: Auditing employee terminations requires

attention to several key factors, including:
· Termination process: The IS auditor should examine the employee
termination process and determine its effectiveness.
· Access reviews: The IS auditor should determine if any internal reviews of
terminated accounts are performed, if any missed terminations are identified
and if any process improvements are undertaken.
· Contractor access and terminations: The IS auditor needs to determine how
contractor access and termination is managed and if such management is

(B) User Access Logs:

The IS auditor needs to determine what events are recorded in access logs to
determine if the right events are being logged, or if logging is suppressed on
events that should be logged.

: 129 :
· Centralized access logs: The IS auditor should determine if the organization’s
access logs are centralized or if they are stored on individual systems.
· Access log protection: The auditor needs to determine if access logs can be
altered, destroyed, or attacked to cause the system to stop logging events.
· Access log review: The auditor should determine if access log reviews take
place, who performs them, how issues requiring attention are identified, and what
actions are taken when necessary.
· Access log retention: The IS auditor should determine how long access logs are
retained by the organization and if they are back up.

(C) Investigative Procedures:

Auditing investigative procedures requires attention to several key activities,
· Investigation policies and procedures: The IS auditor should determine proper
procedures regarding security investigations including who is responsible, where
information is stored, and to whom results are reported.
· Computer crime investigations: The IS auditor should determine if there are
policies, processes, procedures, and records regarding computer crime
· Computer forensics: The IS auditor should determine if there are procedures for
conducting computer forensics. The auditor should also identify tools and
techniques used, qualification & skill set of employees performing investigations.

(D) Internet Points of Presence:

· Search engines: Google, Yahoo!, and other search engines should be consulted
to see what information about the organization is available. Searches should
include the names of company officers and management, key employees etc.
· Social networking sites: Social networking sites such as Facebook, Linkedln,
and Twitter should be searched to see what employees, former employees, and
others are saying about the organization. Any authorized or unauthorized “fan
pages” should be searched as well.
· Online sales sites: Sites such as eBay should be searched to see if anything
related to the organization is sold online.
· Justification of Online Presence: The IS auditor should examine business
records to determine on what basis the organization established online capabilities
such as e-mail, web sites, e-commerce, Internet access for employees.

4. Explain role of Auditor in Audit / Audit trail of Managerial Controls

Ø Top Management and Information Systems Management Controls

The major activities that senior management must perform are – Planning, Organizing,
Controlling and Leading (already explained in Chapter – 3). The Role of auditor at each
activity is discussed below:
· Planning: Auditors need to evaluate whether top management has formulated a
high-quality information system’s plan that is appropriate to the needs of an

: 130 :
organization or not. A poor-quality information system is ineffective and inefficient
leading to losing of its competitive position.
· Organizing: Auditors should be concerned about how well top management acquires
and manages staff resources for three reasons:
§ The effectiveness of the IS function depends primarily on the quality of its staff.
The IS staff need to remain up to date and motivated in their jobs.
§ Intense competition and high turnover have made acquiring and retaining good
information system staff a complex activity.
§ Staff should have skills set and trustworthy.
· Leading: Generally, the auditors examine variables that often indicate when
motivation problems exist or suggest poor leadership. To verify the same Auditors
may use both formal and informal sources of evidence to evaluate how well top
mangers’ communicate with their staff.
· Controlling: Auditors must evaluate whether top management’s choice to the means
of control over the users of IS services is likely to be effective or not.

Ø System Development Management Controls

Systems Development Management has responsibility for the functions concerned with
analyzing, designing, building, implementing, and maintaining information systems.
Three different types of audits may be conducted during system development process
as discussed as under;

Concurrent Auditors are members of the system development team. They assist
the team in improving the quality of systems development for the
Audit specific system they are building and implementing.

Post- Auditors seek to help an organization learn from its experiences in

implementation the development of an application system. In addition, they might be
evaluating whether the system needs to be scrapped, continued, or
Audit modified in some way.

General Audit Auditors evaluate systems development controls overall. It is

performed as part of compliance testing. They seek to determine
whether auditor can reduce the extent of substantive testing needed
to form an audit opinion.

An external auditor is more likely to undertake general audits rather than concurrent or
post-implementation audits of the systems development process. For internal auditors,
management might require that they participate in the development of material
application systems or undertake post-implementation reviews of material application
systems as a matter of course.

Ø Programming Management Controls

Some of the major concerns that an auditor should address under different activities
involved in Programming Management Control Phase are provided in Table as under:

: 131 :
Phase Audit Trail

Planning · They should evaluate whether the nature of and extent of

planning are appropriate to the different types of software that
are developed or acquired.
· They must evaluate how well the planning work is being
Design · Auditors should find out whether programmers use some type
of systematic approach to design.
Coding Auditors should seek evidence –

· On the level of care exercised by programming management in

choosing a module implementation and integration strategy.
· To check whether programmers employ automated facilities to
assist them with their coding work.
Testing · Auditors can use interviews, observations, and examination of
documentation to evaluate how well unit testing, integration
testing & whole of programme testing is conducted.
Operation and · Auditors need to ensure effectively and timely reporting of
Maintenance maintenance needs occurs and maintenance is carried out in a
well-controlled manner.
· Auditors should ensure that management has implemented a
review system and assigned responsibility for monitoring the
status of operational programs.

Ø Data Resource Management Controls

· Auditors should determine what controls are exercised to maintain data integrity.
They might also interview database users to determine their level of awareness of
these controls.
· Auditors might employ test data to evaluate whether access controls and
update controls are working.

Ø Quality Assurance Management Controls

· Auditors might use interviews, observations and reviews of documentation to
evaluate how well Quality Assurance (QA) personnel perform their monitoring
· Auditors can evaluate how well QA personnel undertake the reporting function
and training through interviews, observations, and reviews of documentation.

Ø Security Management Controls

· Auditors must evaluate whether security administrators are conducting ongoing,
high-quality security reviews or not;
· Auditors check whether the organizations audited have appropriate, high-quality
disaster recovery plan in place; and
· Auditors check whether the organizations have opted for an appropriate
insurance plan or not.

Ø Operations Management Controls

: 132 :
· Auditors should pay concern to see whether the documentation is maintained
securely and that it is issued only to authorized personnel.
· Auditors can use interviews, observations, and review of documentation to
evaluate -
§ the activities of documentation librarians;
§ how well operations management undertakes the capacity planning and
performance monitoring function;
§ the reliability of outsourcing vendor controls;
§ whether operations management is monitoring compliance with the outsourcing
contract; and
§ Whether operations management regularly assesses the financial viability of
any outsourcing vendors that an organization uses.

5. Explain role of Auditor in Audit / Audit trail of Application Controls

Two type of audit trails that should exist in each system.

· An Accounting Audit Trail to maintain a record of events within the subsystem; and
· An Operations Audit Trail to maintain a record of the resource consumption
associated with each event in the subsystem.

We shall now discuss Audit Trails for Application Controls in detail.

1. Boundary Controls: This maintains the chronology of events that occur when a user
attempts to gain access to and employ systems resources.

Accounting Audit Trail

· Identity of the would-be user of the system;

· Authentication information supplied;
· Resources requested;
· Action privileges requested;
· Terminal Identifier;
· Start and Finish Time;
· Number of Sign-on attempts;
· Resources provided/denied; and
· Action privileges allowed/denied.

Operations Audit Trail

· Resource usage from log-on to log-out time.
· Log of Resource consumption.

2. Input Controls: This maintains the chronology of events from the time data and
instructions are captured and entered into an application system until the time they are
deemed valid and passed onto other subsystems within the application system.

Accounting Audit Trail

· The identity of the person(organization) who was the source of the data;
· The identity of the person(organization) who entered the data into the system;
: 133 :
· The time and date when the data was captured;
· The identifier of the physical device used to enter the data into the system;
· The account or record to be updated by the transaction;
· The details of the transaction; and
· The number of the physical or logical batch to which the transaction belongs.

3. Processing Controls: The audit trail maintains the chronology of events from the
time data is received from the input or communication subsystem to the time data is
dispatched to the database, communication, or output subsystems.

Accounting Audit Trail

· To trace the processing performed on a data item.
· Triggered transactions to monitor input data entry, processing and output.

Operations Audit Trail

· A comprehensive log on hardware consumption – CPU time used, secondary storage
space used, and communication facilities used.
· A comprehensive log on software consumption.

4. Output Controls: The audit trail maintains the chronology of events that occur from
the time the content of the output is determined until the time users complete their
disposal of output because it no longer should be retained.

Accounting Audit Trail

· What output was presented to users;
· Who received the output;
· When the output was received; and
· What actions were taken with the output?
Operations Audit Trail
· To maintain the record of resources consumed – graphs, report pages.

5. Database Controls: The audit trail maintains the chronology of events that occur
either to the database definition or the database itself.

Accounting Audit Trail

· To attach a unique time stamp to all transactions,
· To attach before images and after images of the data; and
· Any modifications or corrections to audit trail transactions accommodating the
changes that occur within an application system.

Operations Audit Trail:

· To maintain a chronology of resource consumption events that affects the database.

6. Communication Controls: This maintains a chronology of the events from the time a
sender dispatches a message to the time a receiver obtains the message.

: 134 :

· Unique identifier of the source / destination node;

· Unique identifier of each node in the network that transfer the message;
· Time and date at which the message was dispatched;
· Time and date at which the message was received by the sink node;
· Time and date at which node in the network was traversed by the message; and
· Message sequence number;

Organization Structure & Responsibilities

· Organizations require structure to distribute responsibility to groups of people with

specific skills and knowledge.
· The structure of an organization is called an organization chart (org chart).
· Organizing and maintaining an organization structure requires that many factors be

In most organizations, the organization chart is a living structure that changes

frequently, based upon several conditions including the following:

· Short- and long-term objectives: Organizations sometimes move executives from

one department to another so that departments that were once far from each other (in
terms of the org chart structure) will be near each other.

: 135 :
§ These organizational changes are usually performed to help an organization meet
new objectives that require new partnerships and teamwork that were less
important before.
· Market conditions: Changes in market positions can cause an organization to realign
its internal structure in order to strengthen itself.
§ For example, if a competitor lowers its prices based on a new sourcing strategy, an
organization may need to respond by changing its organizational structure to put
experienced executives in charge of specific activities.
· Regulation: New regulations may force an organization to change its organizational
§ For instance, an organization has to appoint some director or officer to comply to
some legal requirement.
· Available talent: When someone leaves the organization (or moves to another
position within the organization), particularly in positions of leadership, a space opens
in the org chart that often cannot be filled right away.
§ Instead, senior management will temporarily change the structure of the
organization by moving the leaderless department under the control of someone

Roles and Responsibilities:

The topic of roles and responsibilities is multidimensional: it encompasses positions and
relationships on the organization chart, it defines specific job titles and duties, and
responsibilities regarding the use and protection of assets.

Individual Roles and Responsibilities:

Several roles and responsibilities fall upon all individuals throughout the organization.
· Executive management: The senior managers and executives in an organization are
responsible for developing the organization’s mission, objectives, and goals, as well as
policy including security policy, which defines (among other things) the protection of
· Owner: An owner is an individual (usually but not necessarily a manager) who is the
designated owner of an asset.
§ Depending upon the organization’s security policy, an owner may be responsible
for the maintenance and integrity of the asset, as well as for deciding who is
permitted to access and make changes the asset.
· Manager: A manager is responsible for obtaining policies and procedures and making
them available to their staff members.
§ They should also, to some extent, be responsible for their staff members’ behavior.
· User: Users are individuals (at any level of the organization) who use assets in the
performance of their job duties.
§ Each user is responsible for how he or she uses the asset, and does not permit
others to access the asset in his or her name.
§ Users are responsible for performing their duties lawfully and for conforming to
organization policies.

Job Titles and Job Descriptions

· A Job Title is a label that is assigned to a job description.
: 136 :
· It denotes a position in the organization that has a given set of responsibilities, and
which requires a certain level and focus of education and prior experience.
· Job titles in IT have matured and are quite consistent across organizations.
· This consistency helps organizations in several ways:
§ Recruiting: When the organization needs to find someone to fill an open position,
the use of standard job titles will help prospective candidates more easily find
positions that match their criteria.
§ Compensation baselining: Because of the chronic shortage of talented IT
workers, organizations are forced to be more competitive when trying to attract new
o To remain competitive, many organizations periodically undertake a regional
compensation analysis to better understand the levels of compensation paid to
IT workers in other organizations.
o The use of standard job titles makes the task of comparing compensation far
§ Career advancement: When an organization uses job titles that are consistent in
the industry, IT workers have a better understanding of the functions of
positions within their own organizations and can more easily plan how they can

The remainder of this section includes many IT job titles with a short description (not a full
job description by any measure) of the function of that position.

(a) Executive Management: Executive managers are the chief leaders and
policymakers in an organization. They set objectives and work directly with the
organization’s most senior management to help make decisions affecting the future
strategy of the organization.
· CIO (Chief Information Officer): This is the title of the top most leader in a
larger IT organization.
· CTO (Chief Technical Officer): This position is usually responsible for an
organization’s overall technology strategy.
§ Depending upon the purpose of the organization, this position may be
separate from IT.
· CSO (Chief Security Officer): This position is responsible for all aspects of
security, including information security, physical security etc.
· CISO (Chief Information Security Officer): This position is responsible for all
aspects of data-related security.
§ This usually includes incident management, disaster recovery, vulnerability
management, and compliance.
· CPO (Chief Privacy Officer): This position is responsible for the protection and
use of personal information.
§ This position is found in organizations that collect and store sensitive
information for large numbers of persons.

(b) Software Development:

Positions in software development are involved in the design, development, and testing
of software applications.
· Systems Architect: This position is usually responsible for the overall
information systems architecture in the organization.
· Systems Analyst: A systems analyst is involved with the design of applications,
including changes in an application’s original design.

: 137 :
§ This position may develop technical requirements, program design, and
software test plans.
· Software Developer, Programmer: This position develops application
§ Depending upon the level of experience, persons in this position may also
design programs or applications.
· Software Tester: This position tests programs made by software developers.

(c) Data Management

Positions in data management are responsible for developing and implementing
database designs and for maintaining databases.
· Database Architect: This position develops logical and physical designs of
data models for applications.
§ With sufficient experience, this person may also design an organization’s
overall data architecture.
· Database Administrator (DBA): This position builds and maintains databases
designed by the database architect and those databases that are included as a
part of purchased applications.
§ The DBA monitors databases, tunes them for performance and efficiency,
and troubleshoots problems.
· Database Analyst: This position performs tasks that are junior to the database
administrator, carrying out routine data maintenance and monitoring tasks.

(d) Network Management

Positions in network management are responsible for designing, building, monitoring,
and maintaining voice and data communications networks, including connections to
outside business partners and the Internet.
· Network Architect: This position designs networks and designs changes and
upgrades to the network as needed to meet new organization objectives.
· Network Engineer: This position builds and maintains network devices such
as routers, switches, firewalls, and gateways.
· Network Administrator: This position performs routine tasks in the network
such as making minor configuration changes and monitoring event logs.
· Telecom Engineer: Positions in this role work with telecommunications
technologies such as data circuits, phone systems, and voice email systems.

(e) Systems Management

Positions in systems management are responsible for architecture, design, building, and
maintenance of servers and operating systems. This may include desktop operating
systems as well.
· Systems Architect: This position is responsible for the overall architecture of
systems (usually servers).
§ This position is usually also responsible for the design of services such as
authentication, e-mail, and time synchronization.
· Systems Engineer: This position is responsible for designing, building, and
maintaining servers and server operating systems.
· Storage Engineer: This position is responsible for designing, building, and
maintaining storage subsystems.
· Systems Administrator: This position is responsible for performing
maintenance and configuration operations on systems.

: 138 :
(f) General Operations
Positions in operations are responsible for day-to-day operational tasks that may
include networks, servers, databases, and applications.
· Operations Manager: This position is responsible for overall operations that are
carried out by others. Responsibilities will include establishing operations shift
· Operations Analyst: This position may be responsible for the development of
operational procedures; examining the health of networks, systems, and
databases; setting and monitoring the operations schedule; and maintaining
operations records.
· Controls Analyst: This position is responsible for monitoring batch jobs, data
entry work, and other tasks to make sure that they are operating correctly.
· Systems Operator: This position is responsible for monitoring systems and
networks, performing backup tasks, and other operational tasks.
· Data Entry: This position is responsible for keying batches of data from hard
copy sources.
· Media Librarian: This position is responsible for maintaining and tracking the use
and storage of backup tapes and other media.

(g) Security Operations:

Positions in security operations are responsible for designing, building, and
monitoring security systems and security controls, to ensure the confidentiality,
integrity, and availability of information systems.
· Security Architect: This position is responsible for the design of security
controls and systems such as authentication, audit logging, intrusion detection
systems, and firewalls.
· Security Engineer: This position is responsible for designing, building, and
maintaining security services and systems that are designed by the security
· Security Analyst: This position is responsible for examining logs from firewalls,
intrusion detection systems, and audit logs from systems and applications.
§ This position may also be responsible for issuing security advisories to
others in IT.
· User Account Management: This position is responsible for accepting
approved requests for user access management changes and performing the
necessary changes at the network, system, database, or application level.
· Security Auditor: This position is responsible for performing internal audits of
IT controls to ensure that they are being operated properly.

(h) Service Desk

Positions at the service desk are responsible for providing front line support services
to IT and IT’s customers.
· Help desk Analyst: This position is responsible for providing front line user
support services to personnel in the organization.
· Technical Support Analyst: This position is responsible for providing technical
support services to other IT personnel, and perhaps also to IT customers.

: 139 :
· Information systems often process large volumes of information that is sometimes
highly valuable or sensitive.
· Measures need to be taken in IT organizations to ensure that individuals do not
possess sufficient privileges to carry out potentially harmful actions on their
· Checks and balances are needed, so that high-value and high- sensitivity activities
involve the coordination of two or more authorized individuals.
· The concept of Segregation of Duties (SOD), also known as separation of
duties, ensures that single individuals do not possess excess privileges that
could result in unauthorized activities such as fraud or the manipulation or
exposure of sensitive data.
· The concept of segregation of duties has been long-established in organization
accounting departments where, for instance, separate individuals or groups are
responsible for the creation of vendors, the request for payments, and the printing
of checks.

Segregation of Duties Controls

· Preventive and detective controls should be put into place to manage
segregation of duties matters.
· In most organizations, both the preventive and detective controls will be manual,
particularly when it comes to unwanted combinations of access between different
· However, in some transaction-related situations, controls can be automated,
although they may still require intervention by others.

Some Examples of Segregation of Duties Controls

· Transaction Authorization: Information systems can be programmed or
configured to require two (or more) persons to approve certain transactions.
§ Many of us see this in retail establishments where a manager is required to
approve a large transaction or a refund.
§ In IT applications, transactions meeting certain criteria (for example,
exceeding normally accepted limits or conditions) may require a manager’s
approval to be able to proceed.
· Split custody of high-value assets: Assets of high importance or value can be
protected using various means of split custody.
§ For example, a password to an encryption key that protects a highly valued
asset can be split in two halves (parts), one half assigned to two persons, and
the other half assigned to two persons, so that no single individual knows the
entire password.
§ Banks do this for central vaults, where a vault combination is split into two or
more pieces so that two or more are required to open it.
· Workflow: Applications that are workflow-enabled can use a second (or third)
level of approval before certain high-value or high-sensitivity activities can take
§ For example, a workflow application that is used to provision user accounts
can include extra management approval steps in requests for administrative

: 140 :
· Periodic reviews: IT or internal audit personnel can periodically review user
access rights to identify whether any segregation of duties issues exist.
§ The access privileges for each worker can be compared against a segregation
of duties control matrix.
When SOD issues are encountered during a segregation of duties review,
management will need to decide hew to mitigate the matter.
The choices for mitigating a SOD issue include;
§ Reduce access privileges: Management can reduce individual user
privileges so that the conflict no longer exists.
§ Introduce a new mitigating control: If management has determined that the
person(s) need to retain privileges that are viewed as a conflict, then new
preventive or detective controls need to be introduced that will prevent or
detect unwanted activities.
§ Examples of mitigating controls include increased logging to record the actions
of personnel, improved exception reporting to identify possible issues, and
external reviews of high-risk controls.

: 141 :




o Virtualization
o Grid Computing
o Cloud Computing
o Mobile Computing
o Green IT
o Web 3.0
o Artificial Intelligence
o Machine Learning

: 142 :
1. Define E-Commerce.
· E-Commerce: “Sale / Purchase of goods / services through electronic mode is
ecommerce.” This could include the use of technology in the form of Computers,
Desktops, Mobile Applications, etc.
· E-Commerce is the process of doing business electronically. It refers to the use
of technology to enhance the processing of commercial transactions between a
company, its customers and its business partners. It involves the automation of a
variety of Business-To-Business (B2B) and Business-To-Consumer (B2C)
transactions through reliable and secure connections.
· Illustrates the new business model enabled by technology. In this model the link
to consumer and supplier is virtually direct.

2 Differentiate Traditional Commerce and E-Commerce.

Definition Traditional commerce includes all E-Commerce means
those activities which encourage carrying out commercial
exchange, in some way or the transactions or exchange of
other of goods / services which information, electronically
are manual and non-electronic. on the internet.
Transaction Manual Electronically
Availability for For limited time. This time may be 24*7*365
commercial defined by Jaw. Like special
transactions stores which may run 24 hours,
but in general available for limited
Nature of Goods can be inspected Goods cannot be inspected
purchase physically before purchase. physically before purchase.
Customer Face to face Face to screen
Business scope Limited to particular area Worldwide reach

: 143 :

Payment Cash, cheque, credit card, etc. Credit card, fund transfer,
Cash in Delivery, Payment
Wallets, UPCI application
Delivery of Instantly Takes time, but now e-
goods commerce websites have
created options of same
day delivery, or delivery
within 4 hours.
3. Benefits of E-Business
E-business benefits individuals, businesses, government and society at large. The major
benefits from e-business are as follows;
A. Benefits to Customer / Individual / User
· Convenience: Every product at the tip of individual’s fingertips on internet.
· Time saving: No. of operations that can be performed both by potential buyers and
sellers increase.
· Various Options: There are several options available for customers which are not
only being easy to compare but are provided by different players in the market.
· Easy to find reviews: There are often reviews about a particular site or product
from the previous customers which provides valuable feedback.
· Coupon and Deals: There are discount coupons and reward points available for
customers to encourage online transaction.
· Anytime Access: Even midnight access to the e commerce platforms is available
which brings in customer suitability.
B. Benefits to Business / Sellers
· Increased Customer Base: Since the number of people getting online is increasing,
which are creating not only new customers but also retaining the old ones.
· Instant Transaction: The transactions of e commerce are based on real time
processes. This has made possible to crack number of deals.
· Provides a dynamic market: Since there are several players, providing a dynamic
market which enhances quality and business.
· Reduction in costs:
§ To buyers from increased competition in procurement as more suppliers are
able to compete in an electronically open marketplace.
§ To suppliers by electronically accessing on-line databases of bid opportunities,
on-line abilities to submit bids, and on-line review of rewards.
§ In overhead costs through uniformity, automation, and large-scale integration of
management processes.
§ Advertising costs.
· Efficiency improvement due to:
§ Reduction in time to complete business transactions, particularly from delivery
to payment.
§ Reduction in errors, time, for information processing by eliminating
requirements for re-entering data.
§ Reduction in inventories and reduction of risk of obsolete inventories as the
demand for goods and services is electronically linked through just-in- time
inventory and integrated manufacturing techniques.
: 144 :
(Q.: Explain efficiency improvement due to E-Business.)
· Creation of new markets: This is done through the ability to easily and cheaply
reach potential customers.
· Easier entry into new markets: This is especially into geographically remote
markets, for enterprises regardless of size and location.
· Better quality of goods: As standardized specifications and competition have
increased and improved variety of goods through expanded markets and the ability
to produce customized goods.
· Elimination of Time Delays: Faster time to market as business processes are
linked, thus enabling seamless processing and eliminating time delays.
C. Benefits to Government
· Instrument to fight corruption: In line with Government’s vision, e commerce
provides an important hand to fight corruption.
· Reduction in use of ecologically damaging materials through electronic
coordination of activities and the movement of information rather than physical

4. Explain various Components of E-COMMERCE.

(i) User: This may be individual / organization or anybody using the e-commerce
platforms. As e-commerce, has made procurement easy and simple, just on a click
of button e-commerce vendors needs to ensure that their products are not delivered
to wrong users. In fact, e—commerce vendors selling products like medicine / drugs
need to ensure that such products are not delivered to wrong person/user.

(ii) E-commerce Vendors: This is the organization / entity providing the user,
goods/ services asked for. For example: E-commerce Vendors
further needs to ensure following for better, effective and efficient transaction.
· Suppliers and Supply Chain Management: These being another important
component of the whole operations. For effectiveness, they need to ensure that –
§ They have enough and the right goods suppliers.
§ They (suppliers) financially and operational safe.

: 145 :
§ Suppliers are able to provide real-time stock inventory.
§ The order to deliver time is very short.
· Warehouse operations: When a product is bought, it is delivered from the
warehouse of e-commerce vendor. This place is where online retailers pick products
from the shelf, pack them as per customer’s specification / pre-decided standards
and prepare those products to be delivered. These operations have become very
critical to the success of the whole ecommerce business.
· Shipping and returns: Shipping is supplementary and complementary to whole
warehouse operations. Fast returns have become Unique Selling Preposition (USP)
for many e-commerce vendors, so these vendors need very effective and efficient
return processing.
· E - Commerce catalogue and product display: Proper display of all products
being sold by vendor including product details, technical specifications, makes for a
better sales conversion ratio. These help customers gauge the products / services
being sold. A good catalogue makes a lot of difference to whole customer
· Marketing and loyalty programs: Loyalty programs establish a long-term
relationship with customer. The best examples can be customer loyalty programs
being run by airline industry. In airline industry, customer can get good discount /
free tickets based on loyalty points accumulated.
· Showroom and offline purchase: Few e-commerce vendors over period have
realized that their products can be sold fast if customers are able to feel / touch / see
those products. These vendors have opened outlets for customer experience of
their products. For ex: Lens kart
· Different Ordering Methods: These are the way customer can place his/her order,
say Cash on Delivery is today most preferred method.
· Guarantees: The product / service guarantee associated with product / service
being sold. Money back guarantees help generate a security in customer’s mind that
in case of any problems there money shall be safely returned back.
· Privacy Policy: Represents policy adopted by the e-commerce vendor vis-a-vis
customer data / information. E-commerce website must have a privacy policy.
· Security: Represents the security policy adopted by the e-commerce vendors.
Vendor website needs to state that online data used to transact is safe that vendors
is using appropriate security including security systems like SSL (Secure Socket
Layer). This guarantees that the data provided by customer will not fall into the hand
of a hacker while transferring from his / her computer to the web server.
(iii) Technology Infrastructure: The computers, servers, database, mobile apps, digital
libraries, data interchange enabling the e-commerce transactions.
· Computers, Servers and Database
§ These are the backbone for the success of the venture. Big ecommerce
organization invest huge amount of money / time in creating these systems.
§ They store the data / program used to run the whole operation of the
§ As cloud computing is increasingly being used, many small / mid-sized e-
commerce originations have started using shared infrastructures.
· Mobile Apps
§ Just as with the personal computer, mobile devices such as tablet computers
and smart phones also have operating systems and application software.
: 146 :

§ A mobile app is a software application programmed to run specifically on a

mobile device.
§ These days, most mobile devices run on one of two operating systems: Android
or iOS.
§ Android is an open-source operating system supported by Google whereas iOS
is Apple’s mobile operating system.
§ There are other mobile Operating systems like BlackBerry OS, Windows Mobile,
and FireFox OS.
§ As organizations consider making their digital presence compatible with mobile
devices, they will have to decide whether to build a mobile app.
§ A mobile app is an expensive proposition, and it will only run on one type of
mobile device at a time.
§ For example, if an organization creates an iPhone app, those with Android
phones cannot run the application.
§ One option many companies have is to create a website that is mobile friendly.
§ A mobile website works on all mobile devices and costs about the same as
creating an app.
§ It includes the following:
§ Mobile store front modules are an integral part of m-commerce apps, where all
commodities and services are categorized and compiled in catalogues for
customers to easily browse through the items on sale and get essential
information about the products.
§ Mobile customer support and information module is a point of reference for
information about a particular retailer, its offerings and deals.
§ The news about the company, current discounts, shop locations and other
information is either pushed to users’ m-commerce apps or can be found in m-
commerce app itself.
§ Mobile banking is inextricably linked to selling process via m-commerce apps,
because no purchase can be finalized without a payment.
§ There are various options for executing mobile payments, among which are
direct mobile billing, payments via SMS, credit card payments through a familiar
mobile web interface, and payments at physical POS terminals with NFC
· Digital Libraries:
§ A Digital Library is a special library with a focused collection of digital objects that
can include text, visual material, audio material, video material, stored as
electronic media formats (as opposed to print, microform, or other media), along
with means for organizing, storing, and retrieving the files and media contained
in the library collection.
§ Digital libraries can vary immensely in size and scope, and can be maintained by
individuals, organizations, or affiliated with established physical library buildings
or institutions, or with academic institutions.
§ The digital content may be stored locally, or accessed remotely via computer

· Data Interchange: Data Interchange is an electronic communication of data.

§ For ensuring the correctness of data interchange between multiple players in e-
commerce, business specific protocols are being used.

: 147 :

§ There are defined- standards to ensure seamless / exact communication in e-


· Internet / Network: This is the key to success of e-commerce transactions.

§ This is the critical enabler for e-commerce. Internet connectivity is important for
any e-commerce transactions to go through.
§ Net connectivity in present days can be through traditional as well as new
§ The faster net connectivity leads to better e-commerce. Many mobile companies
in India have launched 4G services.
§ At a global level, it is linked to the countries capability to create a high speed

· Web portal:
§ This shall provide the interface through which an individual / organization
shall perform e-commerce transactions.
§ Web Portal is the application through which user interacts with the ecommerce
§ The front end through which user interacts for an e-commerce transaction.
§ These web portals can be accessed through desktops / laptops / PDA / hand-
held computing devices / mobiles and now through smart TVs also.
§ The simplicity and clarity of content on web portal is directly linked to customer
experience of buying a product online.

· Payment Gateway:
§ The payment mode through which customers shall make payments.
§ Payment gateway represents the way e-commerce / m-commerce vendors
collects their payments. The payment gateway is another critical component of
e-commerce set up.
§ These are the last and most critical part of e-commerce transactions. These
assures seller of receipt of payment from buyer of goods / services from
ecommerce vendors.
§ Presently numerous methods of payments by buyers to sellers are being used,
including Credit / Debit Card Payments, Online bank payments, Vendors own
payment wallet, Third Party Payment wallets, like SBI BUDDY or PAYTM, Cash
on Delivery (COD) and Unified Payments Interface (UPI).

5. Discuss the architecture of Networked Systems.

OR Explain the types of Network Architecture.

Architecture is a term to define the style of design and method of construction, used
generally for buildings and other physical structures.
In e-commerce, it denotes the way network architectures are build.
E-commerce runs through network-connected systems. Networked systems can have
two types of architecture namely;
(i) Two tier, and
(ii) Three tier.

: 148 :
Two Tier Client Server
In a Two-tier network, client (user) sends request to Server and the Server responds
to the request by fetching the data from it. The Two-tier architecture is divided into two
tiers- Presentation Tier and Database Tier.

(i) Presentation Tier (Client Application/Client Tier):

· This is the interface that allows user to interact with the e-commerce / m-
commerce vendor.
· User can login to an e-commerce vendor through this tier.
· This application also connects to database tier and displays the various products
/ prices to customers.

(ii) Database Tier (Data Tier):

· The product data / price data / customer data and other related data are kept
here. User has not access to data / information at this level but he/she can
display all data / information stored here through application tier.
The Advantages of Two-Tier Systems are as follows:
· The system performance is higher because business logic and database are
physically close.
· Since processing is shared between the client and server, more users could
interact with system.
· By having simple structure, it is easy to setup and maintain entire system
The Disadvantages of Two-Tier Systems are as follows:
· Performance deteriorates if number of users’ increases.
· There is restricted flexibility.
Three Tier Client Server
· Three - Tier architecture Is a software design pattern and well-established software
· Its three tiers are the Presentation Tier, Application Tier and Data Tier.

: 149 :

· Three-tier architecture is a client-server architecture in which the functional process

logic, computer data storage and user interface are developed and maintained as
independent modules on separate platforms.
The three-tier architecture are as follows:
(i) Presentation Tier: Occupies the top level and displays information related to
services available on a website. This tier communicates with other tiers by
sending results to the browser and other tiers in the network.
(ii) Application Tier: Also, called the Middle Tier, Logic Tier, Business Logic or Logic
Tier; this tier is pulled from the presentation tier. It controls application
functionality by performing detailed processing. In computer software,
business logic is the part of the program that encodes the real-world business rules
that determine how data can be created, displayed, stored, and changed.
(iii) Database Tier: This tier houses the database servers where information is
stored and retrieved.
· Data in this tier is kept independent of application servers or business logic.
· The data tier includes the data access layer which should provide an
Application Programming Interface (API) to the application tier that exposes
methods of managing the stored data without exposing or creating
dependencies on the data storage mechanisms.
· Avoiding dependencies on the storage mechanisms allows for updates or
changes without the application tier clients being affected by or even aware of
the change.
To conclude, in Three Tier Architecture three layers like Client, Server and Database are
· In this, the Client sends a request to Server, where the Server sends the request to
Database for data, based on that request the Database sends back the data to
Server and from Server the data is forwarded to Client.
The following are the Advantages of Three-Tier Systems:
· Clear separation of user interface and data presentation from application logic:
Through this separation more clients can have access to a wide variety of server
The two main advantages for client - applications are quicker development and a
shorter test phase.
· Dynamic load balancing: If bottlenecks in terms of performance occur, the server
process can be moved to other servers at runtime.
· Change management: It is easy and faster to exchange a component on the server
than to furnish numerous PCs with new program versions.
The Disadvantages of Three-Tier Systems are as follows:

· It create an increased need for network traffic management, server load balancing,
and fault tolerance.
· Current tools are relatively immature and are more complex.
· Maintenance tools are currently inadequate for maintenance.

: 150 :
Which Architecture is used?

· In two tier architecture, application performance will be degraded upon increasing

the users and it is cost in-effective whereas a three-tier architecture provides High
performance, flexibility, maintainability, scalability, performance, improved security
wherein client does not have direct access to database, easy to maintain and
application performance is good.
· Apart from the usual advantages of modular software with well-defined interfaces,
the three-tier architecture is intended to allow any of the three tiers to be upgraded or
replaced independently in response to changes in requirements or technology.
· All e-commerce applications follow the three-tier network architecture.

E-Commerce Architecture Vide Internet

Following diagram depicts the E-commerce architecture vide Internet

Description of each layer

Sr. No. Layer Includes Purpose

1 Client/ User Web Server, Web Browser This layer helps the e-
Interface and Internet. For example: commerce customer
where user buys a mobile connect to
phone from an ecommerce ecommerce
merchant it includes - merchant.
User - Web Browser
(Internet Explorer / Chrome)
- Web Server
2 Application Layer Application Server and Back Through these
End’ Server. For example - it application’s customer
includes - E-merchant - logs to merchant
Reseller - Logistics partner systems. This layer
allows customer to

: 151 :

check the products

available on
merchant’s website.
3 Database Layer The information store house, This layer is accessible
where all data relating to to user through
products, price it kept. application layer.

E-Commerce Architecture Vide Mobile Apps

M-Commerce (Mobile Commerce): M-commerce (mobile commerce) is the buying and

selling of goods and services through wireless handheld devices such as cellular
telephone and personal digital assistants (PDAs). M-commerce enables users to access
the Internet from anywhere.
Sr. No. Layer Includes Purpose
1 Client / User Mobile Web Browser and This layer helps the e-
Interface Internet. For example: In commerce customer
example discussed above connect to e-
where user buys a mobile commerce merchant.
phone from ecommerce
merchant it includes,
- Mobile APP (Application)
- User
2 Application Layer Application Server and back Through these
end server. For example: In application’s customer
the same example, it logs to merchant
includes systems. This layer
- E-merchant allows customer to
- Reseller check the products
- Logistics partner available on
- Payment Gateway merchant’s website.
3 Database Layer The information store house, This layer is accessible
where all data relating to to user through
products, price it kept. application layer.

: 152 :

Description of E-Commerce Work Flow Diagram

Sr. Steps Activities
1 Customers Few e-commerce merchants may allow same
login transactions to be done through phone, but the basic
information flow is e-mode.
2 Product / Customer selects products / services from available
Service options.
3 Customer Order placed for selected product / service by customer.
Places Order This step leads to next important activity PAYMENT
4 Payment Here customer makes a selection of the payment
Gateway method. In case payment methods is other than cash on
delivery (COD), the merchant gets the update from
payment gateway about payment realisation from
customer. In case of COD, e-commerce vendor may do
an additional check to validate customer.
5 Dispatch and This process may be executed at two different ends.
Shipping First if product / service inventory is managed by e-
Process commerce vendor than dispatch shall be initiated at
merchant warehouse.
Second, many e-commerce merchants allow third party
vendors to sale through merchant websites. For
example: FLIPKART states that it has more than 1 lac
registered third party vendors on its website.
6 Delivery Another key element denoting success of e-commerce
Tracking business is timely delivery. Merchants keep a track of
this. All merchants have provided their delivery staff with
hand held devices, where the product / service delivery
to customers are immediately updated.
7 COD tracking In case products are sold on COD payment mode,
merchants need to have additional check on matching
delivery with payments.

: 153 :

6. What are the risks associated with E-Commerce Transactions that are high as
compared to general Internet activities?
Risk: Risk is possibility of loss. The same may be result of intentional or un-
intentional action by individuals.
Risks associated with e-commerce transactions are high compared to general internet
These include the following:
· Privacy and Security: Comes in the point of hacking. There are often issues of
security and privacy due to lack of personalized digital access and knowledge.
· Quality issues: There are quality issues raised by customers as the original product
differs from the one that was ordered.
· Delay in goods and Hidden Costs: When goods are ordered from another country,
there are hidden costs enforced by Companies.
· Needs Access to internet and lack of personal touch: The e commerce requires
an internet connection which is extra expensive and lacks personal touch.
· Security and credit card issues: There is cloning possible of credit cards and debit
cards which poses a security threat.
· Infrastructure: There is a greater need of not only digital infrastructure but also
network expansion of roads and railways which remains a substantial challenge in
developing countries.
· Problem of anonymity: There is need to identify and authenticate users in the
virtual global market where anyone can sell to or buy from anyone, anything from
· Repudiation of contract: There is possibility that the electronic transaction in the
form of contract, sale order or purchase by the trading partner or customer maybe
· Lack of authenticity of transactions: The electronic documents that are
produced during an e-Commerce transaction may not be authentic and reliable.
· Data Loss or theft or duplication: The data transmitted over the Internet may be
lost, duplicated, tampered with.
· Attack from hackers: Web servers used for e-Commerce maybe vulnerable to
· Denial of Service: Service to customers may be denied due to non-availability of
system as it may be affected by viruses, e-mail bombs and floods.
· Non-recognition of electronic transactions: E-Commerce transactions, as
electronic records and digital signatures may not be recognized as evidence in
courts of law.
· Problem of piracy: Intellectual property may not be adequately protected when
such property is transacted through e-Commerce.
7. Explain meaning of control and relevance of control in E-business.
Controls are the Policies, Procedures, Practices and Organizational Structures, Designed
to Provide Reasonable Assurance that Business Objectives will be achieved and that
Undesired Events will be Prevented or Detected and Corrected.
For example:
· Company may have a policy to force employees to change their passwords every 30
· A CA firm may not allow office staff access to social sites during office hours.

: 154 :
In an e-business environment, controls are necessary for all persons in the chain,

· Users: This is important to ensure that the genuine user is using the e-
commerce/ m-commerce platform.
There is risk if user accounts are hacked and hackers buy products / services.

· Sellers / Buyers / Merchants: These people need to proper framework in place to

ensure success of business.
Many e-commerce businesses have lost huge amount of money as they did not have
proper controls put in place.
These include controls on:
§ Product catalogues
§ Price catalogues
§ Discounts and promotional schemes
§ Product returns
§ Accounting for cash received through Cash on Delivery mode of sales.

· Government: Governments across the world and in India have few critical concerns
vis-a-vis electronic transactions, namely:
§ Tax accounting of all products / services sold.
§ All products / services sold are legal.
There have been instances where narcotics drugs have found to be sold and
bought through electronic means.

· Network Service Providers: They need to ensure availability and security of

network. Any downtime of network can be disastrous for business.

· Technology Service Providers: These include all other service provider other than
network service provider, for example, cloud computing back-ends, applications
back-ends etc. They are also prone to risk of availability and security.

· Logistics Service Providers: Success or failure of any e-commerce / m-commerce

venture finally lies here.
Logistics service providers are the ones who are finally responsible for timely product

· Payment Gateways: E-commerce vendors’ business shall run only when their
payment gateways are efficient, effective and fool proof.

- Each participant needs to put in place controls in an e-commerce environment.

- Any lack of exercising controls by anyone can bring the risk to whole chain.
- All participants as discussed above need to trained and educated for proper controls.
- Each participant needs to put in place policies, practices and procedures in place to
protect from e-commerce / m-commerce related risks.
- These will include the following:

1. Educating the participant about the nature of risks.

Every participant needs to be educated towards risk associated with such transactions.
Organizations need to put in place infrastructure / policy guidelines for the same.
These policies may include the following:
§ Frequency and nature of education programs.
§ The participants for such program.
: 155 :

For example: All bank in India, allowing on line payments put ads on their websites
“Dos and Don’ts for online payments.”
The more informed your organisation is, the easier it will be to combat online threats
and to carry out risk mitigating measures.

2. Communication of organizational policies to its customers.

To avoid customer dissatisfaction and disputes, it is necessary to make the following
information clear throughout your website including:
Privacy Policies, Information security, Shipping and billing policies, Refund

3. Ensure Compliance with Industry Body Standards.

All e-Commerce organisations are required to be complying with and adhere to the
rules outlined by the law.
In India Reserve Bank of India, has been releasing these standards from time to time.

4. Protect your e-Commerce business from intrusion.

· Viruses: Check your website daily for viruses, the presence of which can result
in the loss of valuable data.
· Hackers: Use software packages to carry out regular assessments of how
vulnerable your website is to hackers.
· Passwords: Ensure employees change these regularly and that passwords set by
former employees of your organization are defunct.
· Regular software updates: Your site should always be up to date with the newest
versions of security software.
· Sensitive data: Consider encrypting financial information and other confidential
data (using encryption software).
Hackers or third parties will not be able to access encrypted data without a key.
This is particularly relevant for any e-Commerce sites that use a shopping cart
· Know the details of your payment service provider contract.

(Q: What are the ways of protecting your e-commerce business from intrusion?)

8. Explain various Control Objective’s

· Prevent organizational costs of data Loss: Data is a critical resource of an

organization for Its present and future process and its ability to adapt and survive in
a changing environment.
· Prevent loss from incorrect decision making: Management and operational
controls taken by managers involve detection, investigations and correction of out-
of-control processes. These high-level decisions require accurate data to make
quality decision rules.
· Prevent loss of Computer Hardware, Software and Personnel: These are
critical resources of an organization which has a credible impact on its
infrastructure and business competitiveness.
· Prevent from high costs of computer Error: In a computerized enterprise
environment where many critical business processes are performed a data error
during entry or process would cause great damage.
· Safeguard assets from un-authorized access: The information system assets
(hardware, software, data files etc.) must be protected by a system of internal
controls from unauthorized access.

: 156 :

· Ensure data integrity: The importance to maintain integrity of data of ah

organization depends on the value of information, the extent of access to the
information and the value of data to the business from the perspective of the
decision maker, competition and the market environment
· System Effectiveness Objectives: Effectiveness of a system is evaluated by
auditing the characteristics and objective of the system to meet substantial user
· System Efficiency Objectives: To optimize the use of various information system
resources (machine time, peripherals, system software and labour) along with the
impact on its computing environment.

9. Briefly explain Cyber Security Risk Considerations & Impact.

The business and technological environment in which the entities operate are rapidly
changing on account of the E-Commerce platforms on which most of them now
operate. Therefore, it is imperative for the consideration of Cyber Security Risks in the
audit procedures. Risk Assessment is always a very important part and parcel of the
audit procedures.
One of the most important aspects to be kept in mind during the risk assessment
process is giving due consideration to the changing risks in the entity and its
environment due to the ever-evolving technology landscape which can have a potential
impact on the financial statements.

There could be cyber security risks with Direct as well as Indirect impact.
· A Direct Financial Impact could be if the Application at the Company’s Retailers
which contains financial information has weak passwords resulting in harming the
integrity of data.
· An Indirect Operational Impact could be if the sensitive customer information in
the form of Bank Account Numbers, Recipes of Patented products, etc. could be
breached which would result in legal and regulatory actions on the Company on
account of breach of confidential information.

(Standard on Auditing) SA 315 recognizes that IT poses specific risks to an

entity’s internal control in the form of the following:
· Reliance on systems or programs that are inaccurately processing data,
processing inaccurate data, or both.
· Unauthorized access to data that may result in destruction of data or improper
changes to data, including the recording of unauthorized or non-existent
transactions, or inaccurate recording of transactions.
· Particular risks may arise where multiple users access a common database.
· Unauthorized changes to data in master files.
· Unauthorized changes to systems or programs.
· Inappropriate manual intervention.
· Potential loss of data or inability to access data as required.

Illustrations of the considerations as controls addressing key cyber security

risks, are as under:
· A Network Diagram detailing servers, databases, hubs, routers, internal and
external network, etc.
· List of the Digital Assets used by the Company along with the physical location
of those assets.
· Policy and Procedure document of the criticality of the Digital Assets

: 157 :

· Any incidents of cyber security breach which occurred and the actions taken
and controls built in to avoid them from occurring again.
· Annual review by the CIO
· The Entity should have a IT Security Policy circulated to all Employees
detailing the procedures to be adhered to when accessing IT systems/resources
like password security, restricted use of internet, etc.
· Periodical review of access rights to all IT resources to ensure that the access
to the users is commensurate with their functional roles and responsibilities.
· Adequate approvals exist before the access is granted to any IT resources.
· Use of firewalls by the Company to allow internet activity
· All remote access logins are configured for two factor authentication using of
username, password, pin, token, etc.
· Are the backups scheduled properly and timely checked by restoration of data.

The above procedures are even to be considered for the assets not owned by the
Company but where the Company is utilizing services from another service provider
like the Server maintenance and security is outsourced to an outsourced service


10. Define the Guidelines for E-Commerce.

Guidelines for E-Commerce

All entity going for e-commerce / m-commerce business needs to create clear policy
guidelines for the following:

1. Billing: The issues are –

· Format of bill
· The details to be shared in bills.
· Applicable GST.

2. Product guarantee / warranty: Proper display of product guarantee / warranty

online as well as documents sent along with the products.
3. Shipping: The shipping time, frequency of shipping, the packing at time of
shipping, all these needs to be put in policy documents. This will ensure products are
properly packed and timely shipped.

4. Delivery: Policy needs to be defined for:

· Which mode of delivery to be chosen? Say through courier / third party had
delivery / own staff hand delivery
· When deliveries to be made? Say time of day.
· Where deliveries to be made? Say buyer’s office / home or through dedicated
delivery shops.

5. Return: Policy for return of goods need to be put in place defining:

· Which goods to be accepted in return? Food products would generally not be
· The number of days within which returns can be accepted.
· The process of verifying the authenticity of products received back.
· The time within which buyer shall be paid his/her amount back for goods

: 158 :
6. Payment: Policy guidelines need to be created for the following payment related
· Mode of payment.
· For which products, specific payment mode shall be there. Organisation
restricts cash on delivery for few consumable products.

11. Define Commercial Laws Governing E-Commerce

All e-commerce transactions are commercial business transactions. All these

transactions are covered under multiple laws, including commercial laws. Following
commercial laws are applicable to e-commerce and m-commerce transactions.

1. Income Tax Act, 1961: Income Tax Act, has detailed provisions regarding
taxation of income in India. In respect of e-commerce / m-commerce transactions,
the issue of deciding place of origin transaction for tax purpose is critical.

2. Companies Act, 2013: Companies Act, 2013, regulates the corporate sector. The
law defines all regulatory aspects for companies in India. Most of the merchants in
e-commerce / m-commerce business are companies, both private and public.

3. Foreign Trade (Development and Regulation) Act, 1992: An Act to provide for
the development and regulation of foreign trade by facilitating imports into,
augmenting exports from, India and for matters connected therewith or incidental
thereto. Amazon has recently allowed Indian citizens to purchase from its global
stores. All these shall be regulated through above law.

4. The Factories Act, 1948: Act to regulate working conditions of workers. The act
extends to place of storage as well as transportation. Most of the merchants in e-
commerce / m-commerce business need to comply with provision of the act.

5. The Custom Act, 1962: The act that defines import / export of goods / services
from India and provides for levy of appropriate customs duty. India being a signatory
to General Agreement on Trade and Tariff (GATT) under World Trade Organisation,
cannot levy any custom duty that GATT non-compliant. This one law is subject to
debate across the world. For example: An Indian company downloads software being
sold by a foreign company whether the same shall be chargeable to duty of import.

6. The Goods and Services Tax Act, 2017 (GST): This Act requires each applicable
business, including e-commerce/ m-commerce, to upload each sales and purchase
invoice on one central IT infrastructure, mandating reconciliations of transactions
between business, triggering of tax credits on payments of GST, facilitating filling of e-
returns, etc.

7. Indian Contract Act 1872: The act defines constituents of a valid contract. In case
of e-commerce / m-commerce business it becomes important to define these

8. The Competition Act, 2002: Law to regulate practices that may have adverse
effect on competition in India. Competition Commission have been vigilant to ensure
that e-commerce / m-commerce merchants do not engage in predatory practices.

9. Foreign Exchange Management Act (FEMA1999): The law to regulate foreign

direct investments, flow of foreign exchange in India. The law has important

: 159 :

implications for e-commerce / m-commerce business. With a view to promote foreign

investment, as per regulations framed under Foreign Exchange Management Act,
(FEMA) 1999, FDI up to 100% under the automatic route is permitted in companies
engaged in e-commerce provided that such companies would engage in Business to
Business (B2B) e-commerce. Foreign- investment in Business to Customer (B2C) e-
commerce activities has been opened in a calibrated manner and an entity is
permitted to undertake retail trading through e-commerce under the following
(i) A manufacturer is permitted to sell its products manufactured in India through e-
commerce retail.
(ii) A single brand retail trading entity operating through brick and mortar stores, is
permitted to undertake retail trading through e-commerce.
(iii) An Indian manufacturer is permitted to sell its own single brand products through
e-commerce retail. Indian manufacturer would be the investee company, which is the
owner of the Indian brand and which manufactures in India, in terms of value, at least
70% of its products in house, and sources, at most 30% from Indian manufacturers.

10. Consumer Protection Act, 1986: The law to protect consumer rights has been
source of most of litigations for transaction done through e-commerce and m-

All laws above have same nature of applicability as in a normal commercial

transaction. The fact that transactions are done electronically gives rise to issues
which are unique in nature.

12. Define Special Laws governing E-Commerce

E-commerce are covered under few other laws as these transactions are done
§ Information Technology Act, 2000 (As amended 2008)
§ Reserve Bank of India, 1932.

I. Information Technology Act, 2000

This law governs all internet activities in India. The law is applicable to all online
transactions in India, and provides for penalties, prosecution for non-compliances.
The important issues dealt in by the law includes:
· Legality of products / services being offered online.
· Data Protection
· Protecting Your Customer’s Privacy Online
· Online Advertising Compliance
· Compliance with Information Technology Act, provisions.

II. Reserve Bank of India, 1932

Reserve Bank of India (RBI), from time to time frames guidelines to be followed by
ecommerce / m-commerce merchants allowing online payments through various
modes. The merchant needs to comply with these guidelines.
For example:
· The conversion of all Credit / Debit cards to be made CHIP based.
· An OTP / PIN for all transactions done on point of sale machines through debit /
credit cards.
· The compliance with capital adequacy norms for payments wallet like SBI

: 160 :

13. Explain Digital Payments? Define different Types of Digital Payments?

· Digital Payment is a way of payment which is made through digital modes.
· In digital payments, payer and payee both use digital modes to send and
receive money.
· It is also called electronic payment.
· No hard cash is involved in the digital payments.
· All the transactions in digital payments are completed online.
· It is an instant and convenient way to make payments.
· New digital payment platforms such as UPI and IMPS are becoming increasingly
· Using these new platforms, banks have been scaling rapidly.

Different Types of Digital Payments

I. New Methods of Digital Payment

(i) UPI Apps: Unified Payment Interface (UPI) and retail payment banks are
changing the very face of banking in terms of moving most of banking to digital
platforms using mobiles and apps.
· UPI is a system that powers multiple bank accounts (of participating banks),
several banking services features like fund transfer, and merchant payments in
a single mobile application.
· UPI or unified payment interface is a payment mode which is used to make fund
transfers through the mobile app.
· User can transfer funds between two accounts using UPI apps.
· User must register for mobile banking to use UPI apps.
· User need to download a UPI app and create a UPI ID.
· There are too many good UPI apps available such as BHIM, SBI UPI app, HDFC
UPI app, iMobile, PhonePe app etc.

(ii) Immediate Payment Service (IMPS): It is an instant interbank electronic fund

transfer service through mobile phones.
· It is also being extended through other channels such as ATM, Internet Banking,

(iii) Mobile Apps: BHIM (Bharat Interface for Money) is a Mobile App developed
by National Payments Corporation of India (NPCI) based on UPI (Unified
Payment Interface).
· It facilitates e-payments directly through banks and supports all Indian banks
which use that platform.
· It is built on the Immediate Payment Service infrastructure and allows the user to
instantly transfer money between the bank accounts of any two parties.
· BHIM works on all mobile devices and enables users to send or receive money
to other UPI payment addresses by scanning QR code or using account number
with Indian Financial Systems Code (IFSC) code or MMID (Mobile Money
Identifier) Code for users who do not have a UPI-based bank account.

: 161 :
(iv) Mobile Wallets: It is defined as virtual wallets that stores payment card
information on a mobile device.
· Mobile Wallets provide a convenient way for a user to make-in-store payments
and can be used that merchants listed with the mobile wallet service providers.
· There are mobile wallets like PayTm, Freecharge, Buddy, MobiKwick etc.
· Some of these are owned by banks and some are owned by private companies.

(v) Aadhar Enabled Payment Service (AEPS): Government of India, is planning to

launch this in near future.
· AEPS is an Aadhaar based digital payment mode.
· Customer needs only his or her Aadhaar number to pay to any merchant.
· AEPS allows bank to bank transactions.
· It means the money you pay will be deducted from your account and credited to
the payee’s account directly.
· Customers will need to link their AADHAR numbers to their bank accounts.
· APES once launched can be used at POS terminals also.

(vi) Unstructured Supplementary Service Data (USSD): A revolutionary idea,

where to make payments through mobiles there is neither need for internet nor
any smart phone.
· USSD banking or *99# Banking is a mobile banking based digital payment
· User does not need to have a smartphone or internet connection to use USSD
· S/he can easily use it with any normal feature phone.
· USSD banking is as easy as checking of mobile balance.
· S/he can use this service for many financial and non-financial operations such as
checking balance, sending money, changing Mobile Banking Personal
Identification number (MPIN) and getting Mobile Money Identifier (MMID).

II. Traditional Methods of Digital Payment

(i) E-Wallet: E-wallet or mobile wallet is the digital version of physical wallet
with more functionality.
· User can keep his / her money in an -E-wallet and use it when needed.
· Use the E-wallets to recharge phone, pay at various places and send money to
· If user’s have a smartphone and a stable internet connection, they can use E-
wallets to make payments.
· These E-Wallets also give additional cashback offers.
· Some of the most used E-wallets are State bank buddy, ICICI Pockets,
Freecharge, Paytm etc.

(ii) Cards: Cards are provided by banks to their account holders. These have been
the most used digital payment modes till now. Various types of cards are as
Credit Cards: A small plastic card issued by a bank, or issuer etc., allowing
the holder to purchase goods or services on credit.
In this mode of payment, the buyer’s cash flow is not immediately
impacted. User of the card makes payment to card issuer at end of billing
cycle which is generally a monthly cycle.

: 162 :

Credit Card issuer charge customers per transactions / 5% of transaction as

transaction fees.

Debit Cards: A small plastic card issued by a bank.

Allowing the holder to purchase goods or services on credit. In this mode of
payment, the buyer’s cash flow is immediately affected that as soon as
payment is authorized buyers account is debited.

(iii) Net Banking: In this mode, the customers log to his / her bank account and
makes payments.
All public sectors, large private sector banks allow net banking facilities to their

14. Advantages of Digital Payments

· Easy and convenient: Digital payments are easy and convenient. Person do not
need to take loads of cash with themselves.
· Pay or send money from anywhere: With digital payment modes, one can pay
from anywhere anytime.
· Discounts from taxes: Government has announced many discounts to
encourage digital payments.
User get 0.75% discounts on fuels and 10% discount on insurance premiums of
government insurers.
· Written record: User often forgets to note down his / her spending, or even if
nothing is done it takes a lot of time.
These are automatically recorded in passbook or inside E-Wallet app.
This helps to maintain record, track spending and budget planning.
· Less Risk: Digital payments have less risk if used wisely. If user losses mobile
phone or debit/credit card or Aadhar card, no need to worry a lot. No one can use
anyone else’s money without MPIN, PIN or fingerprint in the case of Aadhar. It is
advised that user should get card blocked, if lost.

15. What are some drawbacks of Digital Payments?

· Difficult for a Non-technical person: As most of the digital payment modes are
based on mobile phone, the internet and cards. These modes are somewhat
difficult for non-technical persons such as farmers, workers etc.
· The risk of data theft: There is a big risk of data theft associated with the digital
Hackers can hack the servers of the bank or the E-Wallet a customer is using and
easily get his/her personal information.
They can use this information to steal money from the customer’s account.
· Overspending: One keeps limited cash in his/her physical wallet and hence thinks
twice before buying anything.
But if digital payment modes are used, one has an access to all his/her money that
can result in overspending.

: 163 :
Computing Technologies
1. What do you means by the term Virtualization? Explain Major application
of Virtualization. (Nov 16)

· In computing, virtualization means to create a virtual version of a

device or resource, such as a server, storage device, network or
even an operating system where the framework divides the resource
into one or more execution environments. Virtualization refers to
technologies designed to provide a layer of abstraction between
computer hardware systems and the software running on them.
· The core concept of Virtualization lies in Partitioning, which divides
a single physical server into multiple logical servers. Once the
physical server is divided, each logical server can run an
operating system and applications independently.
· For example - Partitioning of a hard drive is considered virtualization
because one drive is partitioned in a way to create two separate hard
drives. Devices, applications and human users are able to interact with
the virtual resource as if it were a real single logical resource..

Major applications:
a) Server Consolidation: Virtual machines are used to consolidate many
physical servers into fewer servers, which in turn host virtual machines.
This is also known as “Physical-to-Virtual” or 'P2V' transformation.
b) Disaster Recovery: Virtual machines can be used as "hot standby"
environments for physical production servers. This helps to take over
or shift the load of physical server to virtual server in case of disaster or
shutdown of physical server.
c) Testing and Training: Hardware virtualization also help to act as
training platforms as these provide combination of multiple resources
and without affecting the working of underlying physical resources. This
can be very useful such as in kernel development and operating
system courses.
d) Portable Applications: Portable applications are needed when
running an application from a removable drive, without installing it on
the system's main disk drive.
e) Portable Workspaces: Recent technologies have used virtualization
to create portable workspaces on devices like iPods and USB memory

2. Explain different types of virtualization

· Hardware Virtualization: (Nov 14)

§ Hardware Virtualization or Platform Virtualization refers to the creation
of a virtual machine that acts like a real computer with an
operating system.
§ Software executed on these virtual machines is separated from the
underlying hardware resources. For example, a computer that is
running Microsoft Windows may host a virtual machine that looks like a

: 164 :

computer with the Linux operating system; based software that can be
run on the virtual machine.
§ The basic idea of Hardware virtualization is to consolidate many
small physical servers into one large physical server so that the
processor can be used more effectively. The software that creates a
virtual machine on the host hardware is called a hypervisor or Virtual
Machine Manager. The hypervisor controls the processor, memory
and other components by allowing several different operating systems
to run on the same machine. The operating system running on the
machine will appear to have its own processor, memory and other

· Network Virtualization: (PM) (May 15)

§ Network virtualization is a method of combining the available resources
in a network by splitting up the available bandwidth into channels, each
of which is independent from the others, and each of which can be
assigned (or reassigned) to a particular server or device in real time.
§ This allows a large physical network to be provisioned into
multiple smaller logical networks and conversely allows multiple
physical LANs to be combined into a larger logical network.
§ This behavior allows administrators to improve network traffic,
enterprise security.
§ Network virtualization involves platform virtualization, often combined
with resource virtualization like Network hardware such as switches
and network interface cards (NICs); Networks such as virtual LANs
(VLANs); Network storage devices; etc. Network virtualization is
intended to optimize network speed, reliability, flexibility, and security.

· Storage Virtualization: (PM) (May 16)

§ Storage virtualization is the apparent pooling of data from multiple
storage devices, even different types of storage devices, into what
appears to be a single device that is managed from a central console.
§ Storage virtualization helps the storage administrator perform the
tasks of backup, archiving, and recovery more easily -- and in less
§ Administrators can implement virtualization with software applications
or by using hardware and software hybrid appliances. The users or
servers connected to the storage system aren’t aware of where
the data really is. Storage virtualization is sometimes described as
“abstracting the logical storage from the physical storage.

Grid Computing

3. What is Grid Computing. What are the possible application areas for
using grid computing. (PM)
(Nov 14)

Grid Computing:
a) This is a computer network in which each computer's resources are
shared with every other computer in the system.

: 165 :
b) Processing power, memory and data storage are all community
resources that authorized users can tap into and leverage for specific

c) In Grid computing, every distributed resources (i.e. which may be

located at different location) is shared in such a way that grid
computing network turns into a powerful supercomputer for processing.
d) In grid computing, every authorized user or computer system gets
access to enormous processing power.

Some of the application areas / reasons of using Grid Computing are as

a) Grid computing helping people involved in complex science and
engineering research by allowing them to use heterogeneous
computing resources, information systems and instruments which are
located around the world.
b) Civil engineers work together to design, execute, & analyze shake
table experiments (i.e. earthquake experiment for building structure)
c) An insurance company mines data from partner hospitals for fraud
d) An application service provider offloads excess load to a compute cycle
e) An enterprise like Amazon uses grid computing to configure internal &
external resources to support e-Business.

4. Explain benefits of grid computing (PM)

· Access to additional resources: Grid computing also helps to use the

additional resources than multiple servers and storage devices based on
· Making use of Underutilized Resources: In most organizations, there are large
amounts of underutilized computing resources including server machines. Grid
computing provides a framework for exploiting these underutilized resources and

: 166 :

thus has the possibility of substantially increasing the efficiency of resource

· Resource Balancing: Grid helps to perform the resource balancing by using all
the resources in an optimum manner to provide efficient performance.
· Parallel CPU capacity: Grid computing helps to use many CPUs of different
servers in parallel which further helps to increase the performance.
· Reliability: Grid computing provides high reliability environment for working that
is users can work without failure.
· Virtual Resources and Virtual Organization for collaboration: Grid computing
helps to provide collaboration among large number of organizations and large no
of users for performing complex task.
· Management: Grid computing offers a range of network management activities
including virtualization to increase the effectiveness of grid network. The grid
offers management of priorities among different projects.

5. Explain different types of resources for grid computing

A grid is a collection of machines, referred as nodes, and devices which form a

grid as whole.

· Computation: This is the most common resource of grid computing. This

contains the CPUs which perform the computation or process the given request.
· Storage: This is the second most common resource in grid. Each machine
usually contains some storage and together a grid use large volume of storage
resources. Storage can be memory attached to the processor or it can be
secondary storage, using hard disk drives or other permanent storage media.
· Communication: This resource helps in data flow between different servers. The
bandwidth available for such communications can often be a critical resource that
can limit utilization of the grid.
· Software and Licenses: Software is one of the most expensive resources of grid
and installing software at each server requires software and license.
· Special equipment, capabilities and architecture and policies: Grid uses
different architectures, operating systems, devices and may include machines
that may be designed for specific type of tasks. For example, some machines
may be designated to only be used for medical research.

6. Discuss the constraints that need to be taken into consideration while

developing a secured Grid Architecture. (PM) (May 16)

Grid computing requires standard security functions such as Authentication, Access

control, Integrity, Privacy and non repudiation.

To develop security architecture, following constraints need to be considered:

· Single sign-on: A user should be authenticated once and they should be able
to acquire resources, use them, and release them and to communicate internally
without any further authentication.
: 167 :

· Protection of credential: User’s password and private key should be protected.

· Support for secure group communication: There should be secure group
communication to provide coordinated activities for group.
· Support for multiple implementations: There should be security policy which
should provide a common security to multiple resources / installations based on
public and private key cryptography.
· Interoperability with local security solutions: Access to local resources should
have local security policy at a local level. Despite of modifying every local
resource there is an inter-domain security server for providing security to local

Cloud Computing

7. What is Cloud Computing.

· It is a network technique which helps organizations to share resources using

· Cloud Computing is the use of various services, such as software development
platforms, servers, storage, and software, over the Internet, often referred to as
the "cloud."
· The best example of cloud computing is Google Apps where any application
can be accessed using a browser and it can be deployed on thousands of
computers through the Internet. Other ex: Apple iCloud, Amazon web services

8. What are the Characteristics of Cloud Computing? (PM) (May 15)

a) Elasticity and Scalability: Gives us the ability to expand and reduce resources
according to the specific service requirement.

b) Pay-per-Use: We pay for cloud services only when we use them, either for the short
term or for a longer duration.

c) On-demand: Because we invoke cloud services only when we need them, they are
not permanent parts of the IT infrastructure, this is a significant advantage for cloud
use as opposed to internal IT services. With cloud services there is no need to have
dedicated resources waiting to be used, as is the case with internal services.

: 168 :
d) Resiliency: The resiliency of a cloud service offering can completely isolate the
failure of server and storage resources from cloud users. Work is migrated to a
different physical resource in the cloud with or without user awareness and
e) Multi Tenancy / Sharing: Public cloud service providers often can host the cloud
services for multiple users within the same infrastructure.
f) Workload Movement: This characteristic is related to resiliency and cost
considerations. Here, cloud-computing providers can migrate workloads across
servers both inside the data center and across data centers (even in a different
geographic area). This migration might be necessitated by cost.
9. Advantages of Cloud Computing
· Achieve economies of scale: Volume output or productivity can be increased
even with fewer systems and thereby reduce the cost per unit of a project or
· Globalize the workforce: People worldwide can access the cloud with Internet
· Streamline business processes: Getting more work done in less time with less
resources are possible.
· Reduce capital costs: Not required to spend huge money on hardware, software,
or licensing fees.
· Pervasive accessibility: Data and applications can be accesses any time
anywhere using any smart computing device, making our life so much easier.
· Monitor projects more effectively: It is feasible to confine within budgetary
allocations and can be ahead of completion cycle times.
· Less personnel training is needed: It takes fewer people to do more work on a
cloud, with a minimal learning curve on hardware and software issues.
· Minimize maintenance and licensing software: As there is no too much of non-
premise computing resources, maintenance becomes simple and updates and
renewals of software systems rely on the cloud vendor or provider.
· Improved flexibility: It is possible to make fast changes in our work environment
without serious issues at stake.
10. Drawbacks of Cloud Computing:
· If Internet connection is lost, the link to the cloud and thereby to the data and
applications is lost.
· Security is a major concern as entire working with data and applications depend on
other cloud vendors or providers.
· Although Cloud computing supports scalability (i.e. quickly scaling up and down
computing resources depending on the need), it does not permit the control on these
resources as these are not owned by the user or customer.
· Depending on the cloud vendor or provide, customers may have to face restrictions
on the availability of applications, operating systems and infrastructure options.

: 169 :

· Interoperability (ability of two or more applications that are required to support a

business need to work together by sharing data and other business-related
resources) is an issue wherein all the applications may not reside with a single cloud
vendor and two vendors may have applications that do not cooperate with each other.
11. What are the different types of cloud computing environments.

Types of clouds
· Cloud architecture typically involves into multiple cloud components
· The cloud computing environment can consist of multiple types of clouds based on
their deployment and usage. Such typical Cloud computing environments, catering
to special requirements, are briefly described as follows:

Public Clouds (Can be asked as a separate question: What is public cloud

and its advantages) [PM]
· This environment can be used by the general public.
· This includes individuals, corporations and other types of organizations.
Typically, public clouds are administrated by third parties or vendors over
the Internet, and the services are offered on pay-per-use basis.
· These are also called provider clouds.
· Public cloud consists of users from all over the world wherein a user can simply
purchase resources on an hourly basis and work with the resources which are
available in the cloud provider’s premises.

· Characteristics of Public Cloud are as follows:

§ Highly Scalable: The resources in the public cloud are large in number
and the service providers make sure that all requests are granted.
§ Highly Available: It is highly available because anybody from any part of
the world can access the public cloud with proper permission.
§ Affordable: The cloud is offered to the public on a pay-as-you-go basis;
hence the user has to pay only for what he or she is using (using on a
per-hour basis).
§ Less Secure: Since it is offered by a third party and they have full control
over the cloud, the public cloud is less secure out of all the other models.
§ Stringent SLAs: As the service provider’s business reputation and customer
strength are totally dependent on the cloud services, they follow the SLAs
strictly and violations are avoided.

· The Advantages of public cloud include the following:

§ They are available at affordable costs.
§ It allows the organizations to deliver highly scalable and reliable
applications rapidly and at more affordable costs.
§ There is no need for establishing infrastructure for setting up and
maintaining the cloud.
§ Strict SLAs are followed.
§ There is no limit for the number of users.

· The limitations of public cloud include the following:

§ Security assurance and thereby building trust among the clients.

: 170 :
§ Further, privacy and organizational autonomy are not possible.

Private Clouds (Can be asked as a separate que: What is private cloud and its
advantages) [PM]

· This cloud computing environment resides within the boundaries of an

organization and is used exclusively for the organization’s benefits. These are
also called internal clouds.
· Private Clouds can either be private to the organization and managed by
the single organization (On-Premise Private Cloud) or can be managed by
third party (Outsourced Private Cloud).
· They are built primarily by IT departments within enterprises.

· Characteristics of Private cloud:

§ Secure: The private cloud is secure as it is owned and managed by the
organization itself, and hence there is least chance of data being leaked
out of the cloud.
§ Central Control: Since private cloud is managed by the organization itself,
there is no need for the organization to rely on anybody and it’s controlled by
the organization itself.
§ Weak Service Level Agreements (SLAs): SLAs play a very important role
in any cloud services. In private cloud, either Formal SLAs do not exist or are
weak as it is between the organization and user of the same organization.

· The advantages of private clouds include the following:

§ They improve average server utilization;
§ Reducing operations costs and administrative overheads.
§ It provides a high level of security and privacy to the user.
§ It is small in size and controlled and maintained by the organization.

· The limitations of private clouds include the following:

§ IT teams in the organization may have to invest separately in buying,
building and managing the clouds. Budget is a constraint in private clouds.
§ They have loose SLAs.

Hybrid Clouds
· This is a combination of both at least one private (internal) and at least one public
(external) cloud computing environments.
· The usual method of using the hybrid cloud is to have a private cloud initially, and
then for additional resources, the public cloud is used. The hybrid cloud can be
regarded as a private cloud extended to the public cloud and aims at utilizing the
power of the public cloud by retaining the properties of the private cloud.

· Characteristics of Hybrid Cloud are as follows:

§ Scalable: The hybrid cloud has the property of public cloud with a private cloud
environment and as the public cloud is scalable; the hybrid cloud is also scalable.
§ Partially Secure: The private cloud is considered as secured and public cloud
has high risk of security breach. The hybrid cloud thus are partly secured.
: 171 :
§ Stringent SLAs: Overall the SLAs are more stringent than the private cloud and
might be as per the public cloud service providers.
§ Complex Cloud Management: Cloud management is complex as it involves
more than one type of deployment models.

· The Advantages of Hybrid Cloud include the following:

§ It is highly scalable and gives the power of both private and public clouds.
§ It provides better security than the public cloud.

· The limitations of Hybrid Cloud include the following:

§ Security features are not as good as the private cloud and
§ It is complex to manage.

Community cloud

· The community cloud is the cloud infrastructure that is provisioned for exclusive use
by a specific community of consumers. It may be owned, managed, and operated
by one or more of the organizations in the community.
· In this, a private cloud is shared between several organizations. This model is
suitable for organizations that cannot afford a private cloud and cannot rely on
the public cloud either.
· Characteristics of Community Clouds are as follows:
§ Collaborative: In this, no single company has full control over the whole cloud.
Hence better cooperation provides better results.
§ Partially Secure: In community cloud where few organizations share the cloud,
so there is a possibility that the data can be leaked from one organization to
another, though it is safe from the external world.
§ Cost Effective: As the complete cloud is being shared by several organizations
or community, not only the responsibility gets shared; the community cloud
becomes cost effective too.

: 172 :

· Advantages of Community Clouds are as follows:

§ It allows establishing a low-cost private cloud.
§ It allows collaborative work on the cloud.
§ It allows sharing of responsibilities among the organizations.
§ It has better security than the public cloud.

· Advantages of Community Clouds are as follows:

§ Autonomy of the organization is lost.
§ Security features are not as good as the private cloud.
§ It is not suitable in the cases where there is no collaboration.

12. Explain various cloud computing models / service models


· Cloud computing is a model that enables the end users to access the shared pool of
resources such as compute, network, storage, database and application as an on
demand service without the need to buy or own it. The services are provided and
managed by the service provider, reducing the management effort from the
end user side. The essential characteristics of the cloud include on-demand, self
service, broad network access, resource pooling, rapid elasticity, and measured
service. The National Institute of Standards and Technology (NIST) defines three
basic service models - Infrastructure as a Service (IaaS), Platform as a Service
(PaaS), and Software as a Service (SaaS).

(A) Infrastructure as a Service (IaaS)

· IaaS, a hardware-level service, provides computing resources such as processing
power, memory, storage, and networks for cloud users.
· This allows users to maximize the utilization of computing capacities without having
to own and manage their own resources.
· IaaS changes the computing from a physical infrastructure to a virtual
infrastructure i.e. they offer virtual machines and other services.
· The user’s need not maintain physical servers as it is maintained by service provider.
· IaaS providers provide the infrastructure/ storage required to host the services by
the cloud clients.
· In order to deploy their applications, cloud clients install operating-systems and their
application software on the cloud infrastructure.

Characteristics of IaaS are as follows:

: 173 :
§ Web access: The IaaS model enables the IT users to access infrastructure
resources over the Internet. The IT user need not get physical access to the
§ Centralized management: The resources distributed across different parts are
controlled from any centralized management console that ensures effective and
effective resource utilization.
§ Highly scalable: Depending on the load, IaaS services can provide the
resources and services. The usage of resources can be increased or decreased
according to the requirements.
§ Shared infrastructure: IaaS follows a one-to-many delivery model and allows
multiple IT users to share the same physical infrastructure and thus ensure
high resource utilization.
§ Metered Services: Services are available on pay per use basis.

The different instances of IaaS are as follows:

§ Network as a Service (NaaS): NaaS provides users with needed data
communication capacity. It is an ability given to the end-users to access
virtual network services on pay-per-use basis. NaaS offers virtual networks
components like virtual network interface cards (NICs), virtual routers, virtual
switches, and other networking components. NaaS providers operate using three
common service models: Virtual Private Network (VPN), Bandwidth on Demand
(BoD) and Mobile Virtual Network (MVN).

§ Storage as a Service (STaaS): STaaS provides storage infrastructure on a

subscription basis to users who want a low-cost and convenient way to store
data, synchronize data across multiple devices, manage off-site backups,
mitigate risks of disaster recovery, and preserve records for the long-term.
STaaS allows the end users to access the files at any time from any place.

§ Database as a Service (DBaaS): DBaaS provides users with mechanisms to

create, store, and access databases at a host site on demand. It is an ability
given to the end users to access the database service without the need to install
and maintain it on the pay-per-use basis.

(B) Platform as a Service (PaaS)

· PaaS provides the users the ability to develop an application software on the
development platform provided by the service provider.
· In traditional application development, the application will be developed locally and
will be hosted in the central location. PaaS changes the application development
from local machine to online. (For Ex: Google AppEngine, Windows Azure
Compute etc.)
· Cloud providers deliver a computing platform including operating system,
programming language, software development tools, database etc.

(C ) Software as a Service (SaaS)

· SaaS provides ability to the end users to access an application over the Internet
that is hosted and managed by the service provider. Thus, the end users are
exempted from managing or controlling an application, the development platform,
and the underlying infrastructure.
· SaaS changes the way the software is delivered to the customers. In the traditional
software model, the software is delivered as a license-based product that needs to
be installed in the end user device.

: 174 :

· Since SaaS is delivered as an on-demand service over the Internet, there is no need
to install the software to the end-user’s devices. SaaS services can be accessed
or disconnected at any time based on the end user’s needs.
· SaaS provides users to access large variety of applications over internets that are
hosted on service provider’s infrastructure.
· For example, one can make own word document in Google docs online. Similarly,
one can edit a photo online on, without the need to install the photo editing
software on his/her system.

The different instances of SaaS are as follows:

§ Testing as a Service (TaaS): This provides users with software testing
capabilities such as generation of test data or test cases, execution of test cases
and test result evaluation on a pay-per-use basis.
§ API as a Service (APIaaS): This allows users to explore functionality of Web
services such as Google Maps, Payroll processing, and credit card processing
services etc.
§ Email as a Service (EaaS): This provides users with an integrated system of
emailing, office automation, records management, migration, spam blocking,
malware protection etc.

Other cloud service models

Communication as a Service (CaaS)

· CaaS is an outsourced enterprise communication solution that can be leased
from a single vendor.
· The CaaS vendor is responsible for all hardware and software management and
offers guaranteed Quality of Service (QoS).
· Examples are: Voice over IP (VoIP), Instant Messaging (IM), Collaboration and
Videoconferencing application using fixed and mobile devices.

Data as a Service (DaaS):

· DaaS provides data on demand to a diverse set of users, systems or application.
The data may include text, images, sounds, and videos. DaaS users have access to
high-quality data in a centralized place and pay by volume or data type, as needed.
However, as the data is owned by the providers, users can only perform read
operations on the data. DaaS is highly used in geography data services and
financial data services.

Security as a Service (SECaaS):

· It is an ability given to the end user to access the security service provided by the
service provider on a pay-per-use basis. It is a new approach to security. Ex: Email
filtering, Web content filtering, Vulnerability management and Identity

Identity as a service (IDaas):

· Such provider offer identification and authentication service to the infrastructure used
by service provider or end user. Generally, IDaas includes authentication services,
event monitoring, sign-on services etc.

: 175 :
Mobile Computing

13. What is mobile computing and components of mobile computing.

· It refers to the technology that allows transmission of data via any portable device
without having to be connected to a fixed physical link.

Components of Mobile Computing:

Mobile computing involves Mobile Communication, Mobile Hardware and Mobile

a) Mobile Communication:
· Refers to the infrastructure put in place to ensure that seamless and reliable
communication goes on.
· These would include devices such as Protocols, Services, Bandwidth and Portals
necessary to facilitate and support the stated services.
b) Mobile Hardware:
· It includes mobile devices or device components that receive or access the
service of mobility.
· They would range from Portable laptops, Smart phones, Tablet PC's to Personal
Digital Assistants.
· These devices will have receptors that are capable of sensing and receiving signals.
c) Mobile Software:
· It is the actual Program that runs on the mobile hardware.
· This is the engine of that mobile device. In other terms, it is the essential component
that makes the mobile device operates.
· Example: Apple IOS, Google Android, Blackberry Operating system.
14. How Mobile Computing Works.
· The user enters or access data using the application on handheld computing device.
· Using one of several connecting technologies, the new data are transmitted from
handheld to server system where files are updated and the new data are accessible
to other system user.
· Now both systems (handheld and server computer) have the same information and
are in sync.
· The process work the same way starting from the other direction.

15. Explain various mobile computing benefits. (PM)

· It provides mobile workforce with remote access to work order details, such as
work order location, contact information, required completion date, relevant
warranties/ service contracts.
· It enables mobile sales personnel to update work order status in real-time.
· It facilitates access to corporate information at any time, from anywhere.
· It provides remote access to the corporate Knowledge base at the job location.
· It enables to improve management effectiveness by enhancing information quality,
information flow.
: 176 :

16. Limitations of Mobile Computing

· Insufficient Bandwidth: Mobile Internet access is generally slower than direct

cable connections. These networks are usually available within limited range of
commercial cell phone towers.
· Power consumption: When a power outlet is not available, mobile computers must
rely entirely on battery power.
· Transmission interferences: Weather, terrain, and the range from the nearest
signal point can all interfere with signal reception. Reception in tunnels, some
buildings, and rural areas is often poor.
· Potential health hazards: People who use mobile devices while driving are often
distracted from driving which results in traffic accidents. Cell phones may interfere
with sensitive medical devices. There are allegations that cell phone signals may
cause health problems.
· Human interface with device: Screens and keyboards tend to be small, which may
make them hard to use. Alternate input methods such as speech or handwriting
recognition require training.
· Security: When using mobile one has to be dependent on public network i.e.
Internet. Security is major concern as one can easily attack public network including

Green IT

17. What is green IT and steps to be followed for green IT (PM)

· Green IT refers to the study and practice of establishing/ using computers and
IT resources in a more efficient and environmentally friendly and responsible
· Computers consume a lot of natural resources, from the raw materials needed to
manufacture them, the power used to run them, and the problems of disposing them
at the end of their life cycle. Green computing is the environmentally responsible use
of these computers and related resources.

18. List down green computing best practices.

Some of steps for Green IT include the following:

· Develop a sustainable Green Computing plan:

§ Involve stakeholders to include checklists, recycling policies, recommendations
for disposal of used equipment, government guidelines etc.
§ Encourage the IT community for using the best practices.
§ On-going communication is required towards continuous commitment of green IT.
§ Include power usage, reduction of paper consumption, as well as
recommendations for new equipment and recycling old machines.
§ Use cloud computing so that multiple organizations share the same computing
resources, thus increasing the utilization by making more efficient use of
hardware resources.

: 177 :

· Recycle:
§ Dispose e-waste according to central, state and local regulations;
§ Discard used or unwanted electronic equipment in a environmentally
responsible manner as computers emit harmful emissions;
§ Manufacturers must offer safe end-of-life recycling options; and
§ Recycle computers through manufacturer’s recycling services.

· Make environmentally sound purchase decisions:

§ Purchase of desktop computers, notebooks and monitors based on
environmental attributes;
§ Provide a set of performance criteria for the design of products;
§ Recognize manufacturer to reduce the environmental impact of products by
reducing or eliminating environmentally sensitive materials; and
§ Use Server and storage virtualization that can help to improve resource
utilization, reduce energy costs and simplify maintenance.

· Reduce Paper Consumption:

§ Reduce paper consumption by use of e-mail;
§ Use of “track changes” feature in electronic documents, rather than corrections
on paper;
§ Use online marketing or e-mail marketing rather than paper based marketing;
that are greener, more affordable, flexible and low-cost; and
§ While printing documents; make sure to use both sides of the paper, recycle
regularly, use smaller fonts and margins, and selectively print required pages.

· Conserve Energy:
§ Use Liquid Crystal Display (LCD) monitors rather than Cathode Ray Tube (CRT)
§ Use notebook computers rather than desktop computers whenever possible;
§ Use the power-management features to turn off displays after several minutes of
§ Power-down the CPU and all peripherals during extended periods of inactivity;
§ Power-up and power-down energy-intensive peripherals such as laser printers
according to need;
§ Employ alternative energy sources for computing workstations, servers, networks
and data centers; and
§ Adapt more of video conferencing in order to go green and save energy.

Bring your own device

19. What is BYOD [PM]

· BYOD (Bring Your Own Device) refers to business policy that allows employees to
use their preferred computing devices, like smart phones and laptops for
business purposes.
· It means employees are welcome to use personal devices (laptops, smart phones,
tablets etc.) to connect to the corporate network to access information and
· The BYOD policy has rendered the workspaces flexible, empowering employees to
be mobile and giving them the right to work beyond their required hours.

: 178 :

20. Explain advantages of BYOD

· Happy Employees: Employees love to use their own devices when at work. This
also reduces the number of devices an employee has to carry; otherwise he would
be carrying his personal as well as organization provided devices.
· Increased employee efficiency: The efficiency of employees is more when the
employee works on his / her own device. Apart from it employee is not required to
spend much time on training.
· Lower IT budgets: The employees could involve financial savings to the
organization since employees would be using the devices they already possess, thus
reducing the outlay of the organization in providing devices to them.
· Reduces IT support requirement: IT department does not have to provide end
user support and maintenance for all these devices resulting in cost savings.
· Early adoption of new Technologies: Employees are generally proactive in
adoption of new technologies that result in enhanced productivity of employees.

21. Explain emerging BYOD threats

Every business decision is accompanied with a set of threats and this is there with
BYOD program also. A BYOD program that allows access to corporate network, emails,
client data etc. is one of the top security concerns for enterprises. Overall, these risks
can be classified into four areas as outlined below:

1. Network Risks

· When company-owned devices are used by all employees within an organization,

the organization’s IT practice has complete visibility of the devices connected to the
network. This helps to analyze traffic and data exchanged over the Internet. But if the
company has a policy of BYOD, it would permit the employees to carry their own
devices (smart phones, laptops for business use). In that scenario, the IT practice
team maybe unaware about the number of devices being connected to the network.
As network visibility is of high importance, this lack of visibility can be hazardous.

2. Device Risks

· A lost or stolen device can result in an enormous financial and reputational

embarrassment to an organization as the device may hold sensitive corporate
· With easy access to company emails as well as corporate intranet, company trade
secrets can be easily retrieved from a misplaced device.

3. Application Risks

· Majority of employees’ phones and smart devices that were connected to the
corporate network weren’t protected by security software.
· With an increase in mobile usage, mobile vulnerabilities have increased
· Organizations are not clear in deciding that ‘who is responsible for device security —
the organization or the user’.
: 179 :
4. Implementation Risks

· The effective implementation of the BYOD program should not only cover the
technical issues mentioned above but also mandate the development of a robust
implementation policy.
· Because corporate knowledge and data are key assets of an organization, the
absence of a strong BYOD policy would fail to communicate employee expectations,
thereby increasing the chances of device misuse.
· In addition to this, a weak policy fails to educate the user, thereby increasing
vulnerability to the above mentioned threats.

22. Explain Web 3.0

The term Web 3.0, also known as the Semantic Web, describes sites wherein the
computer generates raw data on their own without direct user interaction. Web 3.0 is
considered as the next logical step in the evolution of the Internet and Web
technologies. For Web 1.0 and Web 2.0; the Internet is confined within the physical
walls of the computer, but as more and more devices such as smartphones, cars
and other household appliances become connected to the web, the Internet will be
omnipresent and could be utilized in the most efficient manner.
Web 3.0 technology uses the “Data Web” Technology, which features the data
records that are publishable and reusable on the web through query able
formats. The Web 3.0 standard also incorporates the latest researches in the
field of artificial intelligence.

The two major components of Web 3.0 are as follows:

§ Semantic Web: This provides the web user a common framework that could
be used to share and reuse the data across various applications, enterprises,
and community. This allows the data and information to be readily intercepted
by machines, so that the machines are able to take decisions on their own by
finding, combining and acting upon relevant information on the web.
§ Web Services: It is a software system that supports computer-to-computer
interaction over the Internet. For example – Social media interacting with
other applications like Google drive, instagram etc.

To conclude, Web 3.0 helps to achieve a more connected open and intelligent web
applications using the concepts of natural language processing machine learning,
machine reasoning and autonomous agents.

23. Explain Internet of Things (IoT)

Definition: The Internet of Things (IoT) is a system of interrelated computing

devices, mechanical and digital machines, objects, people that are provided with
unique identifiers and the ability to transfer data over a network without requiring
human-to-human or human-to-computer interaction.
For example:
Washing machines with Wi-Fi networking capabilities can connect themselves to
home Wi-Fi. Once these machines are so connected they can be controlled through
machine manufacturer mobile APP from anywhere in the world.

: 180 :
Applications: Some of the applications are as follows:
1. All home appliances to be connected and that shall create a virtual home.
a. Home owners can keep track of all activities in house through their hand held
b. Home security CCTV is also monitored through hand held devices.

2. Office machines shall be connected through net.

a. Human resource managers shall be able to see how many people have had a cup
of coffee from vending machine and how many are present.
b. How many printouts are being generated through office printer?

3. Governments can keep track of resource utilisations / extra support needed.

a. Under SWACHH mission government can tag all dustbins with IOT sensors. They
(dustbins) generate a message once they are full. Being connected to wifi, they can
intimate the cleaning supervisor of Municipal Corporation so that BIN can be

4. As a research study, individuals have got themselves implanted with electronic

chips in their bodies. This chip allows him / her to connect to home / office wifi. Once
connected person can enter home / office and perform designated function. This chip
becomes individual’s authentication token. The whole world becomes a connected
world. Above may appear / read like science fiction but same is reality.

Risks: Internet of thing is an evolving phenomenon. The risk listed are those which
are most discussed for IOT today. As technology evolves issues shall crop up. The
risk due to IOT has various facets to it:

(A) Risk to Product manufacturer

Manufacturers may be out of business in few years if IOT becomes a necessary
product feature.
Data storage and analytics: The manufacturers will to ensure the huge data
generated from IOT devices is kept secured. Hacking / Loosing this data may be
distractors for entity as well as the individual to whom it relates to.

(B) Risk to user of these products

· Security: This is the greatest risk due to IOT. As home devices / office
equipment’s are connected to network they shall be hit by all network related
risks, including hacking, virus attacks, stealing confidential data etc.
· Privacy, autonomy and control: There is a huge risk that individuals may lose
control over their personal life. Their personal life can be hacked and made
public. The other major concern is who has the ownership of this personal data.
For example: A person daily eats a burger at 12.00 in night and takes bottle of
chilled hard drink with it. S/he uses his / her mobile to operate the griller and
refrigerator. The griller and refrigerator are both sold by say XYZ ltd. This data
is available on XYZ database.
§ Who owns this information?
§ The data can be used by insurance companies to deny an insurance claim
saying the person was a habitual drinker or raise his / her medical
insurance premium as the person is having a risky life style.

: 181 :

Above illustrates the big risk IOT may create for individuals.
· Intentional obsolescence of devices: This may happen due to –
§ Companies which want to bring a new product may force users to dump the
old products. This they can do by disabling the operating software of old

(C) Technology Risk

Platform fragmentation and lack of technical standards are situations where the
variety of IoT devices, in terms of both hardware variations and differences in the
software running on them, makes the task of developing applications tough.

(D) Environmental Risk due to Technology

These studies are being done to see the impact on house air quality, due to use of
heavy earth metals in devices. There no definitive data available as of now, but the
risk is being considered.

24. Explain Artificial Intelligence

Definition: Intelligence, as defined in Chambers dictionary; “The ability to use

memory, knowledge, experience, understanding, reasoning, imagination and
judgement to solve problems and adapt to new situations”. The ability described
above when exhibited by machines is called as Artificial intelligence (AI). It is
intelligence exhibited by machines. For example:
i. This technology is being is being used in autonomous vehicles, the google car.
ii. Apple online assistant SIRI is supposed to use it.

Artificial Intelligence is being used in the following applications:
§ Autonomous vehicles (such as drones and self-driving cars)
§ Medical diagnosis, in cancer research. Predicting the chances of an individual
getting ill by a disease;
§ Proving mathematical theorems;
§ Playing games (such as Chess or Go), and predicting the outcomes. Say
which number on a lottery ticket may win;
§ Search engines (such as Google search);
§ Online assistants (such as Siri);

1. AI relies heavily of data it gets. Incorrect data can lead to incorrect conclusions.
2. AI (robots) carries a security threats. Countries are discussing to have a KILL
button in all AI capable machines. This is important otherwise someday machine
may start controlling humans.
3. AI in long term may kill human skills of thinking the unthinkable. All data shall
be processed in a structured manner, where machines shall provide solution based
on their learning over a period of time. These machines shall not have capability of
thinking out of box.

Controls: The set of controls in AI will be extremely complex because of the nature
of processing of information and must be dealt with based on the nature of the AI
tool and the purpose, etc.

: 182 :
25. Explain Machine Learning

Definition: Machine Learning is a type of Artificial Intelligence (AI) that provides

computers with the ability to learn without being explicitly programmed. Machine
learning focuses on the development of computer programs that can change when
exposed to new data. The process of machine learning is similar to that of data
mining. For example:
§ Machine learning has been used for image, video, and text recognition, as
well as serving as the power behind recommendation engines. Apple SIRI is a
good example.
§ This technology is being used in autonomous vehicles, the google car.

Applications: Virtually all applications were in AI using Machine learning so that

some value is added. It includes specifically following application:
§ Autonomous vehicles (such as drones and self-driving cars),
§ Medical diagnosis, in cancer research. Predicting the chances of an individual
getting ill by a disease.
§ Playing games (such as Chess or Go), and predicting the outcomes. Say
which number on a lottery ticket may win.
§ Search engines (such as Google search),
§ Online assistants (such as Siri),

Risk: Machine learning being an application based on AI, the nature of risk to it
remain similar to those posed by AI systems.

: 183 :




Risk Assessment and
Working of CBS Risk Management
Related Risks and
SYSTEMS Banking Services CASA
Credit Cards

Business Process Flow Loans and Trade Finance

of key bank products
Treasury Process
Data Analytics and
Business Intelligence
Internet Banking Process
Applicable Regulatory
and Compliance E-Commerce Transaction
Requirements Processing

: 184 :
Core Banking Solution / System (CBS)


· CORE stands for ‘Centralized online real-time environment’ banking system.

· CBS refers to a common IT solution wherein a central shared database supports the
entire banking application. Business processes in all the branches of a bank update a
common database in a central server located at a Data Center, which gives a
consolidated view of the bank’s operations.
· It allows bank branches access applications from centralized data centers.
· These systems are running 24*7 basis to support Internet banking, global operations,
Mobile banking and real time transactions via ATM, Internet, phone etc.
· CBS is centralized Banking Application software that has several components which
have been designed to meet the demands of the banking industry. CBS is supported
by advanced technology infrastructure and has high standards of business
functionality. These factors provide banks with a competitive edge.
· CBS performs core operations of banking like recording of transactions, passbook
maintenance, interest calculations on loans & advances, customer records etc. It will
also include deposit accounts, loans, mortgages and payments.

1. Explain key features of banking business

The key features of a banking business are as follows:
· The custody of large volumes of monetary items, including cash and negotiable
instruments, whose physical security should be ensured.
· Dealing in large volume (in number, value and variety) of transactions.
· Operating through a wide network of branches and departments, which are
geographically dispersed.
· Increased possibility of frauds as banks directly deal with money making it
mandatory for banks to provide multi-point authentication checks and the
highest level of information security.

2. Explain the major products and services provided by commercial banks or

Explain the core banking services provided by commercial banks

Some of the major products and services provided and rendered by commercial banks
which constitute core banking services are briefly explained here.

: 185 :
· Acceptance of Deposits
§ Deposits involve deposits by customers in various schemes for pre-defined
§ Deposits fuel the growth of banking operations, this is the most important
function of a commercial bank.
§ Commercial banks accept deposits in various forms such as term deposits,
savings bank deposits, current account deposits, recurring deposit, saving-cum-
term deposit and various others innovative products.

· Granting of Advances
§ Advances constitute a major source of lending by commercial banks. The type of
advances such as cash credit, overdrafts, purchase/ discounting of bills, term
loans, etc.
§ Apart from granting traditional facilities, banks also provide facilities like issuance
of commercial papers, ECB (External Commercial Borrowing) on behalf of bank/
borrower, securitization of credit sales, housing loans, educational loans, and car
loans, etc.

· Remittances
§ Remittances involve transfer of funds from one place to another.
§ Two of the most common modes of remittance of funds are demand drafts and
Telegraphic/ Mail Transfers (TT/ MT).
§ Drafts are issued by one branch of the Bank and are payable by another branch
of the Bank. The drafts are handed over to the applicant. In the case of
telegraphic/ mail transfer, no instrument is handed over to the applicant; the
transmission of the instrument is the responsibility of the branch. Generally, the
payee of both the TT and the MT is an account holder of the paying branch.
§ Electronic Funds Transfer is another mode of remittance which facilitates almost
instant transfer of funds between two centers electronically. Most of the banks
have now introduced digital mode of remittance which makes remittance
possible online and on mobile devices directly by the customer in a few clicks.

· Collections
§ Collections involve collecting proceeds on behalf of the customer.
§ Customers can lodge various instruments to the banks for collection such as
cheques, drafts, pay orders, dividend and interest warrants, tax refund orders,
etc. drawn in their favor.
§ Banks also collect instruments issued by post offices, like national savings
certificates, postal orders, etc.

: 186 :
· Clearing
§ Clearing involves collecting instruments on behalf of customers of bank.
§ The instruments such as cheque, pay order etc. may be payable locally or at an
outside center. The instruments payable locally are collected through clearing
house mechanism, while the instruments payable outside is sent by the Bank to
its branch.
§ Clearing house settles the inter-Bank transactions among the local participating
member banks. There may be separate clearing houses for MICR (Magnetic Ink
Character Recognition) and non-MICR instruments.
§ Electronic Clearing Services (ECS) is used extensively now for clearing. ECS takes
two forms: ECS Credit or ECS Debit.
- In the case of ECS credit, there is a single receiver of funds from a large
number of customers, e.g., public utilities, mutual funds, etc. The beneficiary
(i.e., the receiver of funds) obtains mandate from its customers to withdraw
funds from their specified Bank accounts on a specific date.
- In the case of ECS debit, there is a single account to be debited against which
many accounts with a number of banks in the same clearing house area are
credited. This system is useful for distribution of dividend/ interest, payment
of salaries by large units, etc.

· Letters of Credit and Guarantees

§ Issuing letters of credit and guarantees are two important services rendered by
banks to customers engaged in business, industrial and commercial activities.
§ A Letter of Credit (LC) is an undertaking by a bank to the payee (the supplier of
goods and/ or services) to pay to him, on behalf of the applicant (the buyer) any
amount up to the limit specified in the LC, provided the terms and conditions
mentioned in the LC are complied with.
§ The Guarantees are required by the customers of banks for submission to the
buyers of their goods/ services to guarantee the performance of contractual
obligations undertaken by them or satisfactory performance of goods supplied by

· Credit Cards
§ It is a service provided by bank to customers to enable him to pay to a merchant for
goods and services on credit basis, based on the customer’s promise to the card
issuer to pay to them for the amount so paid.
§ Most credit cards issued by banks are linked to one of the international credit card
networks like VISA, Master, Amex.

: 187 :
· Debit Cards
§ Debit Cards are issued by the bank where customer is having their account.
§ Debit Cards facilitates customers to pay at any authorized outlet as well as to
withdraw money from an ATM from their account.
§ Debit cards are networked with an inter-bank network. When a debit card is used
for a transaction, the amount is immediately deducted from the customer’s account

· Other Banking Services

§ Retail Banking: These are also called front-office operations that cover all
operations which provide direct retail services to customers.
§ High Net-worth Individuals (HNI): Banks provide special services to customers
classified as High Net-worth Individuals (HNI) based on value of deposits/
§ Risk Management: Risks are all pervasive in the banking sector. This should be done
at strategic, tactical, operational and technology areas of the bank. Risk
management is best driven as per policy with detailed standards, procedures and
guidelines provided for uniform implementation.
§ Specialized Services: Banks also perform other services such as insurance broking,
claims, underwriting, life insurance, non-life insurance, etc. However, these would
be offered by separate entities set up by the bank.

3. Explain IT risks & challenges in banks / CBS

(i) Frequent changes or obsolescence of technology. Technology keeps on

evolving and changing constantly and becomes obsolete very quickly. Hence,
there is always a risk that the investment in technology solutions unless properly
planned may result in loss to bank due to risk of obsolescence.

(ii) Multiplicity and complexity of systems: The Technology architecture used for
services could include multiple digital platforms and is quite complex. Hence, this
requires the bank to have personnel with requisite technology skills or the
management of the bank’s technology could be outsourced to a company having
the relevant skill set.

(iii) Different types of controls for different types of technologies/ systems:

Deployment of Technology gives rise to new types of risks. These risks need to be
mitigated by relevant controls as applicable to the technology/information
systems deployed in the bank.

: 188 :
(iv) Proper alignment with business objectives and legal/ regulatory requirements:
Banks must ensure that the CBS and allied systems implemented, cater to all the
business objectives and needs of the bank, in addition to the legal/regulatory
requirements envisaged.

(v) Dependence on vendors due to outsourcing of IT services: In a CBS environment,

the bank requires staff with specialized domain skills to manage IT deployed by
the bank. Hence, these services could be outsourced to vendors and there is
heavy dependency on vendors and gives rise to vendor risks which should be
managed by proper contracts, controls and monitoring.

(vi) Segregation of Duties (SoD):

§ Banks have a highly-defined organization structure with clearly defined roles,

authority and responsibility. The segregation of duties as per organization
structure should be clearly mapped in the CBS used by the bank.
§ This is a high-risk area since any SoD conflicts can be a potential vulnerability
for fraudulent activities. For example, if a single employee can initiate,
authorize and disburse a loan the possibility of misuse cannot be ignored.

(vii) External threats leading to cyber frauds/ crime:

§ The CBS environment provides access to customers anytime, anywhere using

internet. As a result risks of increased threats from hackers and others who
could access the software to commit frauds/crime.

(viii) Higher impact due to intentional or unintentional acts of internal employees:

Employees in a technology environment are the weakest link in an enterprise. This
is much more relevant in bank as banks deal directly with money. Hence, the
employee acts done intentionally or unintentionally may compromise security of
the IT environment.

(ix) Need to ensure continuity of business processes in the event of major

disaster: The high dependence on technology makes it imperative to ensure
resilience to ensure that failure does not impact banking services. Hence, a
documented business continuity plan with adequate technology and information
systems should be planned, implemented and monitored.

IT Risks and Risk Assessment

: 189 :
4. Explain Risk, Risk analysis, Risk Assessment

Risk: The potential harm caused if a threat exploits a particular vulnerability to cause
damage to an asset. For example: inadequate security is a vulnerability which could be
exploited by a hacker.
Risk Analysis: is defined as the process of identifying security risks and determining their
magnitude and impact on an organization. Information systems can generate many direct
and indirect risks.
These risks lead to a gap between the need to protect systems and the degree of
protection applied. The gap is caused by:
§ Widespread use of technology
§ Interconnectivity of systems;
§ Increase in unconventional electronic attacks;
§ Devolution of management and control;
§ External factors such as legislative, legal and regulatory requirements or IT

Risk Assessment:
Risks are mitigated by implementing risk assessment. This involves the following:
o Identification of threats and vulnerabilities in the system;
o Potential impact or magnitude of harm that a loss of security would have on
enterprise operations or enterprise assets; and
o The identification and analysis of security controls for information systems:

5. Explain the impact of IT Risks

IT risks not only have a direct impact on banks as operational risks but can also promote
other risks like credit risks and market risks. Given the increasing reliance of customers
on digital delivery channels to conduct transactions, any security related issues have the
potential to undermine public confidence in the use of online banking channels and lead
to reputation risks to the banks. Inadequate and improper IT implementation can also
induce strategic risk in terms of strategic decision making based on inaccurate data/
information. Compliance risk is also an outcome in the event of non-adherence to
regulatory or legal requirements arising out of the use of IT.
There are new IT risks which could have a significant impact on critical business
operations, such as:
(i) External dangers from hackers, leading to denial of service and virus attacks,
extortion and leakage of .corporate information.

: 190 :
(ii) Growing potential for misuse and abuse of information system affecting privacy
and ethical values; and Increasing requirements for availability and robustness.
(iii) Phishing attacks through Internet Banking. Phishing is the attempt to obtain
sensitive information such as usernames, passwords, and credit card details (and,
indirectly, money), often for malicious reasons, by disguising as a trustworthy
entity in an electronic communication.

6. Explain concept of IT Risk Management

Effective risk management begins with a clear understanding of the bank’s risk appetite
and identifying high-level risk exposures. After defining risk appetite and identified risk
exposure, strategies for managing risk can be set and responsibilities clarified. Based on
the type of risk, Board and Senior Management may choose to take up any of the
following risk management strategy in isolation or combination as required:
· Avoid: Eliminate the risk by not taking up or avoiding the specific business process
which involves risk.
· Mitigate: Implement controls (e.g. acquire and deploy security technology to protect
the IT infrastructure).
· Transfer: Share risk with partners or transfer to insurance coverage.
· Accept: Formally acknowledge that the risk exists and monitor it.

7. Examples of IT risks relating to banking

Automation makes each of the banking areas prone to different types of risks. Some
examples of risks are as follows:

Risks to Data
· Unauthorized data changes affecting integrity of data;
· Absence of logs and audit trail/ logs;
· Unauthorized transactions;
· Unauthorized entry/ corrections/ deletions;
· Transactions without vouchers;
· Changing data using other’s password;
· Willful and wrong inputs; and

Other IT Risks
· Unauthorized or incorrect Interest rate changes;
· Incorrect Interest computation;
· Incorrect computation of charges;
· Unauthorized increased in credit limits;

: 191 :
· Payment of stopped cheques;
· Payment of duplicate drafts/ Fixed Deposit Certificates issued; and
· Opening of New accounts without complying with KYC (Know Your Customer)
norms as specified by RBI.

8. Explain the indicators of higher IT risk

The review of risk assessment and risk management should be done on regular basis as
risks are dynamic and keep on changing.
Some of the risk indicators are:
· IT security is not given required priority;
· Attitude of “Computer will take care of everything - no checking is required”;
· Lack of transparency of IT operations and responsibility assigned;
· Lack of Input control;
· Lack of output verification;
· Lack of access control;
· Lack of audit trails;
· Lack of dual checks for sensitive and high value transactions;
· Lack of documented disaster recovery plan/ contingency plan/ Business Continuity
· Lack of controls leading to temptation to commit frauds; and
· Over-dependence on long serving - ‘trusted’ operators, supervisors, managers, etc.

9. Explain the key indicators of effective IT controls

· The ability to execute and plan new work such as IT infrastructure upgrades required
to support new products and services.
· Development projects that are delivered on time and within Budget, resulting in cost-
effective and better product and service offerings compared to competitors.
· Ability to allocate resources predictably.
· Consistent availability and reliability of information and IT services across the
organisation and for customers, business partners, and other external interfaces.
· Clear communication to management of key indicators of effective controls.
· The ability to protect against new vulnerabilities and threats and to recover from any
disruption of IT services quickly and efficiently.
· Heightened security awareness on the part of the users and a security conscious

: 192 :
Internal Control System in Banks

10. Give examples of internal Controls in Banks

Risks are mitigated by implementing internal controls as appropriate to the business
environment. These types of controls must be integrated in the IT solution implemented
at the bank’s branches.
Some examples of internal controls in bank branch are given here:
· Work of one staff member is invariably supervised/ checked by another staff
member, irrespective of the nature of work (Maker-Checker process).
· A system of job rotation among staff exists.
· Financial and administrative powers of each official/ position is fixed and
communicated to all persons concerned.
· All books are to be balanced periodically. Balancing is to be confirmed by an
authorized official.
· Details of lost security forms are immediately advised to controlling so that they can
exercise caution.
· Fraud prone items like currency, valuables, draft forms, term deposit receipts,
traveler’s cheques and other such security forms are in the custody of at least two
officials of the branch.

11. Give Examples of IT Controls in Banks

IT risks need to be mitigated by implementing the right type and level of controls in the
automated environment. This is done by integrating controls into IT. Sample list of IT
related controls are:
· The system maintains a record of all log-ins and log-outs.
· If the transaction is sought to be posted to a dormant (or inoperative) account, the
processing is halted and can be proceeded with only with a supervisory password.
· The system checks whether the amount to be withdrawn is within the drawing
· Access to the system is available only between stipulated hours and specified days
· Individual users can access only specified directories and files. Users should be given
access only on a “need-to-know basis” based on their role in the bank. This is
applicable for internal users of the bank and customers.
· Exception situations such as limit excess, reactivating dormant accounts, etc. can be
handled only with a valid supervisory level password.
· A user timeout is prescribed. This means that after a user logs-in and there is no

: 193 :
activity for a pre-determined time, the user is automatically, logged- out of the
· Once the end-of-the-day process is over, the ledgers cannot be opened without a
supervisory level password.

Applying IT Controls – General & Application controls

The risks and controls explained earlier in the section should be implemented within IT.
Hence, it is important for the bank to identify controls as per policy, procedures and
organization structure of the bank and configure it within IT software as used in the bank.
There are different options for implementing controls as per risk management strategy.

IT controls are selected and implemented based on the risks they are designed to
manage. In case of banking industry, risks are all pervasive.
However, the focus in this chapter is not on business related risks of banking but IT
related risks and controls of banking automation.
Apart from the classification of controls already discussed in detail in previous chapter, a
common classification of IT controls is General Controls and Application Controls.
General Controls are macro in nature whereas Application Controls are controls which
are specific to the application software.

12. Explain various General controls

General Controls
General Controls, also known as Infrastructure Controls present across different layers of
IT environment and information systems. General Controls are pervasive controls and
apply to all systems components, processes, and data for a given enterprise or systems
environment. General controls include, but are not limited to:
· Information Security Policy: The security policy is approved by the senior
management and encompasses all areas of operations of bank and drives access to
information across the enterprise and other stakeholders.
· Administration, Access, and Authentication: IT should be administered with
appropriate policies and procedures clearly defining the levels of access to
information and authentication of users.
· Separation of key IT functions: Secure deployment of IT requires the bank to have
separate IT organization structure with clear demarcation of duties for different
personnel within IT department and to ensure that there are no Segregation of
duties conflicts.

: 194 :
· Management of Systems Acquisition and Implementation: Software solutions for
CBS are either developed or acquired and implemented. Hence, process of
acquisition and implementation of systems should be properly controlled.
· Change Management: IT solutions deployed and its various components must be
changed in tune with changing needs as per changes in technology environment,
business processes, regulatory and compliance requirements. These changes impact
the live environment of banking services.
Hence, change management process should be implemented to ensure smooth
transition to new environments covering all key changes including hardware,
software and business processes. All changes must be properly approved by the
management, before implementation.
· Backup, Recovery and Business Continuity: Heavy dependence on IT and criticality
makes it imperative that resilience of banking operations should be ensured by
having appropriate business continuity including backup, recovery and off-site
data Centre.
· Confidentiality, Integrity and Availability of Software and data files: Security is
implemented to ensure confidentiality, integrity and availability of information.
· Incident response and management: There may be various incidents
created due to failure of IT. These incidents need to be appropriately
responded and managed as per pre-defined policies and procedures.

13. Explain Application controls & examples of Application controls

Application Controls are controls which are implemented in an application to
prevent or detect and correct errors. These controls are in-built in the application
software to ensure accurate and reliable processing. Application controls ensure
that all transactions are authorized, complete and accurate.
For example: application software ensures that only transactions of the day are
accepted by the system. Withdrawals are not allowed beyond limits, etc.
Some examples of Application controls are as follows:
· Data edits i.e. editing of data is allowed only for permissible fields;
· Separation of business functions (e.g., transaction initiation versus authorization);
· Balancing of processing totals (debit and credit of all transactions are
· Transaction logging (all transactions are identified with unique id and
· Error reporting (errors in processing are reported); and
· Exception Reporting (all exceptions are reported).
A detailed discussion of Application Controls has already been provided in the previous
chapter. (Chapter 3)


: 195 :
14. Examples of CBS software
· Finacle: Core banking software suite developed by Infosys that provides universal
banking functionality covering all modules for banks covering all banking services.
· FinnOne: Web-based global banking product designed to support banks and financial
solution companies in dealing with assets, liabilities, core financial accounting and
customer service.
· Flexcube: Comprehensive, integrated, interoperable, and modular solution that
enables banks to manage evolving customer expectations.
· BaNCS: A customer-centric business model which offers simplified operations
comprising loans, deposits, wealth management, digital channels and risk and
compliance components.
· bankMate: A full-scale Banking solution which is a scalable, integrated e-banking
systems that meets the deployment requirements in traditional and non-traditional
banking environments. It enables communication through any touch point to provide
full access to provide complete range of banking services with anytime, anywhere

15. Explain key aspects inbuilt into the CBS architecture

Some key aspects in-built into architecture of a CBS are as follows:

· Information flow: Facilitates information flow within the bank and Improves the
speed and accuracy of decision-making. It deploys systems that streamline
integration and unite corporate information to create a comprehensive database.
· Customer centric: Through a holistic core banking architecture, enables banks to
target customers with the right offers at the right time with the right channel to
increase profitability.
· Regulatory compliance: It is facilitated by compliance module, it will regularly update
regulatory platform that ensures regulatory compliance.
· Resource optimization: Optimizes utilization of information and resources of banks
and lowers costs through improved asset reusability, faster turnaround times, faster
processing and increased accuracy.
16. Explain core features of CBS
· On-line real-time processing.
· Transactions are posted immediately.
· All databases updated simultaneously.
· Centralized Operations (All transactions are stored in one common database/server).
· Remote interaction with customers.

: 196 :
· Reliance on transaction balancing.
· Highly dependent system-based controls.
· Authorizations occur within the application.
· Increased access by staff at various levels based on authorization.
· Daily, half yearly and annual closing,
· Automatic processing of standing instructions,
· Centralized interest applications for all accounts and account types
· Anytime, anywhere access to customers and vendors.

17. Explain major components of CBS

· Opening new accounts and customer on-boarding.

· Managing deposits and withdrawals.
· Transactions management from initiation to reporting.
· Interest calculation and management.
· Payments processing (cash, cheques/ mandates, NEFT, RTGS, IMPS etc.).
· Loans disbursement and management.
· Processing cash deposits and withdrawals.
· Processing payments and cheques.
· Processing and servicing loans.
· Accounts management.
· Configuring and calculating interest.
· Customer Relationship Management (CRM) activities.
· Setting criteria for minimum balances, interest rates, withdrawals allowed, limits and
so on.
· Maintaining records for all the bank’s transactions.

18. Explain significant changes brought by CBS in accounting processes or workflow

CBS is a Technology environment based on client-server architecture, having a Remote
Server (called Data Centre) and Client (called Service Outlets which are connected
through channel servers) branches. CBS has brought significant changes so far as
workflow and housekeeping activities/ accounting processes at branches are concerned.
· User-actions and controls are elaborately menu-driven.
· User is prompted by software to initiate an action and to apply a control.
· Various periodical runs/ mass activities like Application of Interest & Service Charges,
· Updating of parameters globally, balancing/ reconciliation of ledgers and TDS etc. are
carried out centrally at the Data Centre, leaving various control actions to be taken at

: 197 :
19. Explain key technology components of CBS
The software resides in a centralized application server which is in the Central Office Data
Centre, so the application software is not available at the branch but can be accessed
from the branches or online. Along with database servers and other servers, an
application server is located at the Central Data Centre.

The key technology components of CBS are as follows:

· Database Environment
· Application Environment
· Web Environment
· Connectivity to the Corporate Network and the Internet
· Data Centre and Disaster Recovery Centre
· Network Solution architecture to provide total connectivity
· Enterprise Security architecture
· Branch and Delivery channel environment
· Online Transaction monitoring for fraud risk management

20. What are the technological architecture of CBS

In this architecture, it provides overview of CBS with client access devices at the top
which interface with channel servers which in turn interface with application servers
which are connected to the database servers hosted on windows/Unix platform. These
concepts are further explained in later section (CBS IT Environment) of this chapter.

: 198 :

Technology Architecture of CBS

21. What are the functional architecture of CBS

A Core Banking Solution is the enterprise resource planning software of a bank. It covers
all aspects of banking operations from a macro to micro perspective and covers the
entire gamut of banking services ranging from front office to back office operations,
transactions at counters to online transactions up to general ledger and reporting as
However, a CBS is modular in nature and is generally implemented for all functions or for

: 199 :
core functions as decided by the bank. For example, if treasury operations or foreign
exchange transactions are minimal, then this may not be implemented in CBS but the
results could be linked to CBS as linked with the proper interface. Hence, the
implementation would depend on the need and criticality of specific banking services
provided by the bank. The following Fig. provides a functional architecture of CBS
covering the complete range of banking services.

22. How Does CBS Work?

The deployment and implementation of CBS should be controlled at various stages to
ensure that banks automation objectives are achieved:
· Planning: Planning for implementing the CBS should be done as per strategic and
business objectives of bank.

: 200 :
· Approval: The decision to implement CBS requires high investment and recurring
costs and will impact how banking services are provided by the bank. Hence, the
decision must be approved by the board of directors.
· Selection: Although there are multiple vendors of CBS, each solution has key
differentiators. Hence, bank should select the right solution considering various
parameters as defined by the bank to meet their specific requirements and business
· Design and develop or procured: CBS solutions used to be earlier developed in-
house by the bank. Currently, most of the CBS deployment are procured. There
should be appropriate controls covering the design or development or procurement
of CBS for the bank.
· Testing: Extensive testing must be done before the CBS is live. The testing is to be
done at different phases at procurement stage to test suitability to data migration to
ensure all existing data is correctly migrated and testing to confirm processing of
various types of transactions of all modules produces the correct results.
· Implementation: CBS must be implemented as per pre-defined and agreed plan with
specific project milestones to ensure successful implementation.
· Maintenance: CBS must be maintained as required. E.g. program bugs fixed, version
changes implemented, etc.
· Support: CBS must be supported to ensure that it is working effectively.
· Updation: CBS modules must be updated based on requirements of business
processes, technology updates and regulatory requirements.
· Audit: Audit of CBS must be done internally and externally as required to ensure that
controls are working as envisaged.

Fundamentally, in a CBS, all the bank’s branches access applications from centralized
data-centers. Core banking systems are akin to a human heart in terms of importance
and functionality. All transactions are routed through core systems, which are available
24 x7 and accessible from anywhere, anytime and through multiple devices such as
desktops, laptops, ATM, Internet, mobile phone, tablets, etc.
The following diagram provides an overview of how a CBS works. It may be noted that
the core of CBS is the customer who interacts with CBS through various channels such as
branches, ATMs, call centres, internet banking, relationship officers of bank or through
mobile phones. These delivery channels connect to different business modules / silos in
an integrated manner. These functional modules connect to various types of servers such
as database server, CRM server, application server, data warehouse server, ATM servers,
etc. In addition, partners/ vendors may also be connected to the CBS.

: 201 :

Technology architecture of CBS2

Customer Identification File (CIF) is a digital or virtual file where the customer identity
details with a valid photo ID and address details are stored and given a unique number
which is called CIF number. A customer may have many accounts of different nature, like
current account, savings account, loans etc., but all these accounts will be mapped to one
CIF only.

: 202 :
CBS IT Environment

23. Explain the various types of server used in CBS IT environment

The core banking environment would comprise of a Central Application Server that runs
the Core Banking Solution (CBS) with the application software being centrally accessed by
all the branches as also customers.

· The Server is a sophisticated computer that accepts service requests from different
machines called clients. The requests are processed by the server and sent back to
the clients. This server is a powerful and robust system as performs the entire core
banking operations. CBS is developed as internet based application and therefore can
be accessed through browser application.
· Application server may be decentralized and located at regional office or at branch
for easy and quick response. No user is granted access to CBS directly. Access is
always through channel server that processes the request and fetches or sends data
to CBS for updating.
· The validation is a complete process in the computer so that it ensures that data that
is fed in, conforms to certain prerequisite conditions e.g., if an operator keys in data
for withdrawal of money, the account number of customer would be entered by the
operator naturally. But there would be a built-in control so that further processing
would be entertained only after the systems verifies that the account number which
is now entered is already in the database i.e., it is an existing customer.
· After the data is validated at the branch, it would be sent to the respective channel
server in the centralized data center. The channel (which houses the respective
channel software) after receiving data performs necessary operations and updates
the core database, etc.
· There are different types of servers used in deploying CBS. Some of these are briefly
explained here:
(i) Application Server
(ii) Database Server
(iii) Automated Teller Machine channel Server,
(iv) Internet Banking Channel Server,
(v) Internet Banking Application Server
(vi) Web Server,
(vii) Proxy Server, t
(viii) Anti-Virus Software Server, etc.

: 203 :
Application Server
· All the transactions of the customer are processed by the data center. The
Application Server performs necessary operations and this updates the account of
the customer “A” in the database server.
· The customer may do some other operation in branch “Y”. The process is validated
at branch “Y” and the data is transmitted to the application software at the data
center. The results are updated in the database server at the centralized data
center. Thus, it would be observed that whatever operations a customer may do at
any of the branches of the bank the accounting process being centralized at the
centralized data center is updated at the centralized database.
· The application software, CBS, which is in the application server is always to be the
latest version as accepted after adequate testing. These changes are made to a
separate server called a test server. The programs are debugged and certified that
the program is now amended as required and performs as expected.
· The changed and latest application software will be moved into the application
server under proper authority. The earlier version would be archived and the latest
copy of the software would always have a backup copy.

Database Server
· The Database Server of the Bank contains the entire data of the Bank. The data
would consist of various accounts of the customers and master data (e.g., of master
data are customer data, employee data, base rates for advances, FD rates, the rate
for loans, penalty to be levied under different circumstances, etc.).
· Application software, ATM server & Internet Banking Application Server would
access the database server. The data contained in the database must be very secure
and no direct access should be permitted to prevent unauthorized changes. Strict
discipline is followed regarding the maintenance of the database server, there is a
designated role for maintenance of the database. The individual who performs this
role is called the Database Administrator. His activities will also be monitored as all
changes made would be recorded in a Log. Scrutiny of the log would disclose the
type of activities and the effect of such activities.

Automated Teller Machines (ATM) Channel Server

· This server contains the details of ATM account holders. Soon after the facility of
using the ATM is created by the Bank, the details of such customers are loaded on
to the ATM server.
· When the Central Database is busy with central end-of- day activities or for any

: 204 :
other reason, the file containing the account balance of the customer is sent to the
ATM switch. Such a file is called Positive Balance File (PBF). Till the central database
becomes accessible, the ATM transactions are passed and the balance available in
the ATM server. Once the central database server becomes accessible all the
transactions that took place till such time as the central database became un-
accessible would be updated in the central database. This ensures not only
continuity of ATM operations but also ensures that the Central database is always

Internet Banking Channel Server (IBCS)

· Just as in the case of ATM servers, where the details of all the account holders who
have ATM facility are stored, the Internet Banking database server stores the user
name and passwords of all the internet banking customers. IBCS (Internet Banking
Channel Server) software stores the name and password of the entire internet
banking customers. Please note that the ATM server does not hold the PIN numbers
of the ATM account holders. IBCS server also contains the details about the branch
to which the customer belongs.
· The Internet Banking customer would first have to log into the bank’s website with
the user name and password.

Internet Banking Application Server

· The Internet Banking Software which is stored in the IBAS (Internet Banking
Application Server) authenticates the customer with the login details stored in the
· Authentication process is the method by which the details provided by the
customer are compared with the data already stored in the data server to make
sure that the customer is genuine and has been provided with internet banking

Web Server
· The Web Server is used to host all web services and internet related software. All
the online requests and websites are hosted and serviced through the web server.
· A Web server is a program that uses HTTP (Hypertext Transfer Protocol) to serve
the files that form Web pages to users, in response to their requests, which are
forwarded by their computers’ HTTP clients. All computers that host Web sites must
have Web server programs.

: 205 :
Proxy Server
· A Proxy Server is a computer that offers a computer network service to allow
clients to make indirect network connections to other network services. A client
connects to the proxy server, and then requests a connection, file, or other
resource available on a different server.
· In some cases, the proxy may alter the client’s request or the server’s response for
various purposes.

Anti-Virus Software Server

· The Anti-Virus Server is used to host anti-virus software which is deployed for
ensuring all the software deployed are first scanned to ensure that appropriate
virus/ malware scans are performed.


Banks carry out variety of functions across the broad spectrum of products offered by
them. Some of the key products that are provided by most commercial banks are -

Current & Savings Accounts (CASA), Credit Cards, Loans and Advances, Treasury
and Mortgages.

24. Explain Business process flow of Current & Savings Accounts (CASA)
Process Flow of CASA facility (as shown in the Fig.)
(i) Either the customer approaches the relationship manager to apply for a CASA
facility or will apply the same through internet banking, the charges/ rates for
the facility are provided by the relationship manager basis the request made
by the customer.
(ii) Once the potential customer agrees for availing the facilities / products of the
bank, the relationship manager request for the relevant documents i.e. KYC
and other relevant documents of the customer depending upon the
facility/product. KYC (Know Your Customer) is a process by which banks obtain
information about the identity and address of the customers. KYC documents
can be Passport, Driving License, etc.
(iii) The documents received from the customers are handed over to the Credit
team / Risk team for sanctioning of the facilities/limits of the customers.
(iv) Credit team verifies the document’s, assess the financial and credit worthiness
of the borrowers and updates facilities in the customer account.
(v) Current / Account savings account along with the facilities requested are
provided to the customer for daily functioning.

: 206 :
(vi) Customers can avail facilities such as cheque deposits / withdrawal, Cash
deposit / withdrawal, Real Time Gross Settlement (RTGS), National Electronics
Funds Transfer System (NEFT), Electronic Clearing Service (ECS), Overdraft
Fund Transfer services provided by the bank.

25. What are the risks & controls around the CASA Process
Risk & Controls around the CASA Process
S.No. Risk Key Controls
1. Credit Line setup is The credit committee checks that the Financial
unauthorized and not in Ratios, the Net-worth, the Risk factors and its
line with the banks policy. corresponding mitigating factors, the Credit Line
offered and the Credit amount etc. is in line with
Credit Risk Policy and that the Client can be given the
Credit Line.
2. Credit Line setup in CBS is Access rights to authorize the credit limit in case of
unauthorized and not in account setup system should be restricted to
line with the banks policy. authorized personnel.
3. Customer Master defined Access rights to authorize the customer master in
in CBS is not in CBS should be restricted to authorized personnel.

: 207 :
accordance with the Pre-
Disbursement Certificate.
4. Inaccurate interest / Interest on fund based facilities are automatically
charge being calculated in calculated in the CBS as per the defined rules.
5. Unauthorized personnel Segregation of Duties to be maintained between the
approving the CASAS initiator and authorizer of the transaction for
transaction in CBS. processing transaction in CBS.
6. Inaccurate accounting Accounting entries are generated by CBS basis the
entries generated in CBS. facilities requested by the customer and basis
defined configurations for those facilities in CBS.

26. Explain Business Process flow of Credit Cards

Process Flow of Issuance of Credit Card Facility (as shown in the Fig.)
(i) Either the customer approaches the relationship manager to apply for a credit card
facility or customer will apply the same through internet banking, the charges/rates
for the facility are provided by the relationship manager basis the credit application
made by the customer.
(ii) Once the potential customer agrees for availing the facilities/products of the bank,
the relationship manager request for the relevant documents i.e. KYC and other
relevant documents of the customer depending upon the facility/product.
(iii) The documents received from the customers are handed over to the Credit team
for sanctioning of the facilities/limits of the customers.
(iv) Credit team, verifies the document’s, assess the financial and credit worthiness of
the borrowers and issues a credit limit to the customer in CBS and allots a credit
(v) Credit Card is physically transferred to the customer’s address.

: 208 :

Process Flaw of Issuance of Credit Card Facility

27. Explain the business process flow of authorization process of credit card.

Process Flow of Sale - Authorization process of Credit Card Facility (as shown in
the Fig.)
(i) Customer will swipe the credit card for the purchase made by him/her on the POS
machine (Point of Sale) at merchant’s shop/establishment.
(ii) POS (Point of Sale) will process the transaction only once the same is
(iii) The POS (Point of Sale) will send the authentication request to the merchant’s
bank (also referred as “acquiring bank”) which will then send the transaction
authentication verification details to the credit card network (such as VISA,
MASTER CARD, AMEX, RUPAY) from which the data will be validated by the credit
card issuing bank within a fraction of seconds.
(iv) Once the transaction is validated, the approval message is received from credit
card issuing bank to the credit card network which then flows to the merchant’s

: 209 :
bank and approves the transaction in the POS (Point of Sale) machine.
(v) The receipt of the transaction is generated and the sale is completed. The
transaction made is charged during the billing cycle of that month.

Process Flow of Sale - Authorization and Clearing & Settlement of Credit Card

28. Explain the business process flow of clearing & settlement process of credit card

Process Flow of Clearing & Settlement process of Credit Card Facility (as shown in
the above Fig.)
(i) The transaction data from the merchant is transferred to the merchant’s bank.
Merchant’s bank clears settlement amount to Merchant after deducting Merchant
fees. Merchant’s bank, in turn now provides the list of settlement transactions to
the credit card network which then provides the list of transactions made by the
customer to the credit card issuing bank.
(ii) The credit card issuing bank basis the transactions made, clears the amount to
Merchant’s bank but after deducting interchange transaction fees.
(iii) At the end of billing cycle, card issuing company charges the customer’s credit
card account with those transactions in CBS.

: 210 :
29. What are the Risks and Controls around the Credit Card Process
Risks and Controls around the Credit Card Process
S.No. Risk Key Controls
1. Credit Line setup is The credit committee checks that the Financial
unauthorized and not in Ratios, the Net-worth, the Risk factors and its
line with the banks policy corresponding mitigat-ing factors, the Credit Line
offered and the Credit amount; etc. is in line with
Credit Risk Policy and that the Client can be given the
Credit Line.
2. Credit Line setup is Access rights to authorize the credit limit in the credit
unauthorized and not in card system should be restricted to authorized
line with the banks policy. personnel.
3. Masters defined for the Access rights to authorize the customer master in
customer are not in credit card system should be restricted to authorized
accordance with the Pre- personnel. Segregation of duties exist in credit card
Disbursement Certificate system such that the system restricts the maker
having checker rights to approve the facilities booked
by self in the credit card system.
4. Credit Line setup can be Transaction cannot be made if the aggregate limit of
breached. outstanding amount exceeds the credit limit assigned
to customer.
5. Inaccurate interest / Interest on fund based credit cards and charges are
charge being calculated in auto-matically calculated in the credit card system as
the Credit Card system. per the de-fined masters.
6. Inaccurate reconciliations Daily reconciliation for the balances received from
performed. credit card network with the transactions updated in
the credit card system on card network level.
Business Process Flow of Mortgages
A Mortgage loan is a secured loan which is secured on the borrower’s property by
marking a lien on the property as collateral for the loan. If the borrower stops paying,
then the lender has the first charge on the property.
Mortgages are used by individuals and businesses to make large real estate purchases
without paying the entire value of the purchase up front. Over the period of many years,
the borrowers repay the loan amount along with interest until there is no outstanding.

30. Explain various types of Mortgage Loan

· Home Loan: This is a traditional mortgage where customer has an option of selecting
fixed or variable rate of interest and is provided for the purchase of property
· Top Up Loan: Here the customer already has an existing loan and is applying for
additional amount either for refurbishment or renovation of the house
· Loans for Under Construction Property: In case of under construction properties the
loan is disbursed in tranches / parts as per construction plan.

: 211 :
31. Explain the Process Description of Mortgage loan.
(i) Loans are provided by the lender which is a financial institution such as a bank or a
mortgage company. There are two types of loan widely offered to customer first is
fixed rate mortgage where rate of interest remains constant for the life of the loan
second is variable/floating rate mortgage where rate of interest is fixed for a
period but then it fluctuates with the market interest rates.
(ii) Borrower / Customer approaches the bank for a mortgage and relationship
manager/ loan officer explains the customer about home loan and its various
feature. Customer to fill loan application and provide requisite KYC documents
(Proof of Identity, Address, Income and obligation details etc.) to the loan officer.
(iii) Loan officer reviews the loan application and sends it to Credit risk team who will
calculate the financial obligation income ratio which is to determine customer’s
financial eligibility on how much loan can be provided to the customer. This is done
basis the credit score as per Credit Information Bureau (India) Limited (CIBIL)
rating, income and expense details and Rate of Interest at which loan is offered.
Once financial eligibility is determined, then along with customer documents the
details are sent to the underwriting team for approval.
(iv) Underwriting team will verify the financial (applicant’s credit history) and
employment information of the customer. Underwriter will ensure that the loan
provided is within the lending guidelines and at this stage provide conditional
approval along with the list of documents required.
(v) As per the property selected by the customer, loan officer will provide the property
details along with requisite documents (property papers etc.) to the legal and
valuation team. Legal team will carry out title search on the property which is to
determine legal owner of the property, any restrictions or any lien on the property
etc. Valuation team will carry out valuation of property and determine its value.
(vi) Further verification of property to determine whether property is built as
per the approved plan, whether builder has received requisite certificates,
age of building to determine whether it will withstand the loan tenure,
construction quality.
(vii) Legal and valuation team will send their report to the operations team
which will generate letter of offer / Offer letter to customer which entails
all details of loan such as loan amount, rate of interest, tenor, monthly
installment, security address, fee/charges details and term and conditions.
(viii) Customer will agree to loan agreement which is offered by signing the
offer letter. Loan officer will notarize all the loan documents and are send
back to lender operations team.

: 212 :
(ix) Once signed offer letter is received the operations team will release or
disburse fund and prepare a cashier order. Cashier order is provided to
customer in exchange of mandatory original property documents. Once
exchange is carried out successfully, banks place a charge or lien on the
property so that incase of default the first charge is with the bank to
recover the money.
(x) Post disbursement of loan customer can carry out various loan servicing
activity by visiting the branch or via online mode amendments such as
interest rate change, change in monthly instalment, prepayment of loan
amount and foreclosure of loan etc.

32. What are the risks & controls around Mortgage Process
Risk & Controls around the Mortgage Process
S.No. Risk Key Controls
1. Incorrect customer and loan There is secondary review performed by an
details are captured which independent team member who will verify loan
will affect the over-all details captured in core banking application with
downstream process. offer letter.
2. Incorrect loan amount There is secondary review performed by an
disbursed. independent team member who will verify loan
amount to be disbursed with the core banking
application to the signed offer letter,
3. Interest amount is Interest amount is auto calculated by the core
in-correctly calculated and banking application basis loan amount, ROI and
charged. tenure.
4. Unauthorized changes made System enforced segregation of duties exist in the
to loan master data or core banking application where the inputter of
customer data. the transaction cannot approve its own
transaction and reviewer cannot edit any details
submitted by inputter.

33. Explain Treasury Process & core areas of Treasury Process.

Treasury Process
· Investments Category are Government Securities (Gsec), shares, other investments,
such as, Commercial Papers, Certificate of Deposits, Units of Mutual Funds, Venture
Capital Funds and Real Estate Funds Debentures and Bonds.
· Products in Trading category are Forex and Derivatives (Over-The-Counter (OTC) and
Exchange traded) the products involved are Options, Swaps, Futures, Foreign
Exchange (FX) forwards, Interest derivatives)

: 213 :
Core areas of Treasury Operations: The core areas of treasury operations in a bank can
be functionally divided into the following broad compartments as mentioned below:
a. Dealing Room Operations (Front office operations);
b. Middle Office (Market Risk department / Product Control Group); and
c. Back office.

(i) Front Office:

· Front Office operations consist of dealing room operations wherein the dealers enter
into deal with the various corporate and interbank Counter-parties. Deals are
entered by dealers on various trading /Communication platform such as Reuters’
system, telephonic conversation, Brokers or any other private channel with the
respective counter-party.
· The dealers are primarily responsible to check for counter-party credit Limits,
eligibility, and other requirements of the Bank before entering into the deal with the
customers. Dealers must ensure that all risk/credit limits are available before
entering into a deal. Also, the deal must not contravene the current regulations
regarding dealing in INR with overseas banks/counter-parties.
· All counter-parties are required to have executed the International Swaps and
Derivatives Association (‘ISDA’) agreement as well as pass a board resolution allowing
it to enter into derivatives contract. As soon as the deal is struck with counter-party,
£he deal details are either noted in a manual deal pad or punched in front office
system of the Bank which gets queued in for authorization.

(ii) Middle Office:

· Middle Office includes risk management, responsibility for treasury accounting, and
documentation of various types, producing the financial results, analysis and budget
forecasts for the treasury business unit, input into regulatory reporting.
· Risk management can manage various types of risks such as financial and market risk,
currency risk, foreign exchange risk and regulatory compliance risk with objective to
risk minimization or risk hedging.
· It is also responsible for monitoring of counter-party, country, dealer and market-
related limits that have been set and approved in other areas of the bank such as the
credit department.

(iii) Back Office Operations:

· The mainstream role of the Back Office is in direct support of the trading room or
front office. This includes verification by confirmation, settlement, checking existence
of a valid and enforceable International Swap Dealers Association (‘ISDA’) agreement.

: 214 :
· An important development in the back office has been the advent of Straight-
Through Processing (STP), also called ‘hands-off’ or exception processing. This has
been made possible through enhancement of system to real time on line input in the
trading room, which in turn has meant that the back office can recall deals input in
the trading room to verify from an external source.
· Back office is also involved in a number of reconciliation processes, including the
agreement of traders’ overnight positions, Nostro accounts and brokerage. The
critical one is FOBO (Front Office/ Back Office) reconciliation to ensure the
completeness and accuracy of trades/ deals done for the day.

34. What are the process flow for bank treasury operations

Process flow for Bank Treasury Operations is provided in the Fig.

Process flow for Bank Treasury Operations

35. Explain various risk & controls around the Treasury Process
Risk & Controls around the Treasury Process
S.No. Risk Key Controls
1. Unauthorized securities setup Appropriate Segregation of duties and review
in systems such as Front controls around securities master
office/Back office. setup/amendments.
2. Inaccurate trade is processed. Appropriate Segregation of duties and review
controls to 1 ensure the accuracy and
authorization of trades.
3. Unauthorized confirmations Complete and accurate confirmations to be
are processed. obtained from counter-party.

: 215 :
4. Insufficient Securities available Effective controls on securities and margins.
for Settlement
5. Incomplete and inaccurate Inter-system reconciliations, Interfaces and
data flow between systems. batch processing controls.
6. Insufficient funds are available Controls at CCIL/NEFT/RTGS settlements to
for settlements. ensure the margin funds availability and the
timely funds settlements,
7. Incorrect Nostro payments Controls at Nostro reconciliation and payments.
Loans and Trade Finance Process
The business of lending, which is main business of the banks, carry certain inherent risks
and bank cannot take more than calculated risk whenever it wants to lend. Hence,
lending activity has to necessarily adhere to certain principles.
The business of lending is carried on by banks offering various credit facilities to its
customers. Basically various credit facilities offered by banks are generally repayable on
demand. A bank should ensure proper recovery of funds lent by it and acquaint itself
with the nature of legal remedies available to it and also law affecting the credit facilities
provided by it.

36. Explain classification of credit facilities

Classification of Credit Facilities: These may broadly be classified as under:

(i) Fund Based Credit Facilities: Fund based credit facilities involve outflow of funds
meaning thereby the money of the banker is lent to the customer. They can be
generally of following types:
i. Cash Credits/Overdrafts
ii. Demand Loans/Term loans
iii. Bill Discounting
(ii) Non-Fund Based Credit Facilities: In this type of credit facility, the banks funds
are not lent to the customer and they include Bank Guarantees and Letter of
37. Explain the process flow in credit facilities

(I) Customer Master Creation in Loan Disbursement System (which CBS or a

separate system which periodically interfaces with CBS)
· The relationship manager across locations identifies the potential customers
and approaches them with the details of the products/facilities and the
charges/rates or the customer may directly approach the bank for availing
the facilities.

: 216 :
· Once the potential customer agrees for availing the facilities/products of the
bank, the relationship manager request for the relevant documents i.e. KYC
and other relevant documents of the customer depending upon the
· The documents received from the customers are handed over to the Credit
team of bank for sanctioning of the facilities/limits of the customers.
· Credit team verifies the document’s, assess the financial and credit
worthiness of the borrowers and issues a sanction letter to the customer.
· Sanction letter details the terms of the facilities and the credit limits the
customer is eligible e.g. how much loan can be offered to the customer.
· Once the customer agrees with the terms of the sanction letter, the credit
team prepares a Pre Disbursement Certificate (PDC) containing the details of
all the facilities & limits approved for the customer and sends it to the
disbursement team i.e. the team who is responsible for disbursing the loan
amount to customer.
· The disbursement team verifies the PDC and creates customer account and
master -in the Loan Disbursement System. The disbursement team member
also assigns the limits for various products as per PDC.
· Once the limits are assigned to the customer, the customer can avail any of
the facilities/products up to the assigned credit limits.

(II) Loan Disbursal / Facility Utilization and Income Accounting

· Customer may approach the bank for availing the product/facility as per the
sanction letter.
· The facility/product requested are offered to the customer after verifying
the customer limits in the Loan Disbursal System which normally would be
CBS or may be a separate system which later interfaces with CBS on periodic
· In case of the fund based loan -Term Loan /Overdraft/Cash credits, the
funds are disbursed to the customer’s bank accounts and the corresponding
asset is recorded in a loan account recoverable from the customer. Interest is
generally accrued on a daily basis along with the principal as per the agreed
terms are recovered from the customer.
· In case of bills discounting product, the customer is credited the invoice
amount excluding the interest amount as per the agreed rates. Interest
income is generally accrued on a daily basis. Receivable is booked in a loan

: 217 :
· In case of non- fund based facilities, the facilities are granted to the
customer up to the assigned limits in the loan disbursement system.
Contingent entries are posted for asset and liabilities. Commission is
normally charged to the customer account upfront on availing the facility and
is accrued over the tenure of the facilities granted to the customer.

38. Explain process flow of Non Fund based loans

Process flow for Non Fund based loans

Process Flow for Non Fund based Loans

: 218 :
39. Explain risks & controls in loans & advances process
Risk & Controls in the Loans and Advances Process
S.No. Risk Key Controls
1. Credit Line setup is The credit committee checks that the Financial
unauthorized and not in Ratios, the Net-worth, the Risk factors and its
line with the banks policy. corresponding mitigating factors, the Credit Line
offered and the Credit amount etc. is in line with
Credit Risk Policy and that the Client can be given
the Credit Line.
2. Credit Line setup is Access rights to authorize the credit limit in Loan
unauthorized and not in Booking system/CBS should be restricted to
line with the banks policy. authorized personnel
3. Masters defined for the Access rights to authorize the customer master in
customer are not in Loan Booking system/CBS should be restricted to
accordance with the Pre authorized personnel.
Disbursement Certificate. Segregation of duties exist in Loan Disbursement
system. The system restricts the maker having
checker rights to approve the loan/facilities booked
by self in loan disbursal system.
4. Credit Line setup can be Loan disbursement system/CBS restricts booking of
breached in Loan loans/ facilities if the limits assigned to the
dis-bursement system/CBS. customer is breached in Loan disbursement
5. Lower rate of interest/ Loan disbursement system/CBS restricts booking of
Commission may be loans/ facilities if the rate charged to the customer
charged to customer. are not as per defined masters in system.
6. Facilities/Loan’s granted Segregation of duties exist in Loan Disbursement
may be unauthorized system. The system restricts the maker having
/inappropriate checker rights to approve the loan/facilities booked
by self in loan disbursal system
7. Inaccurate interest / charge Interest on fund based loans and charges for non-
being calculated in the Loan fund based loans are automatically calculated in
disbursal system the Loan dis-bursal system as per the defined

Internet Banking Process

40. Explain internet banking process
· The customer applies to the bank for such a facility. The user is provided with a User
ID and Password. As is the best practice the password is expected to be changed soon
after the first log on.
· Internet facility could be used only by accessing the website of the bank. For
accessing the website, a browser like Internet Explorer, Firefox or Chrome is used.

: 219 :
· On access, user is directed to secure web server. The internet banking website is
hosted on the web server. The web server is in the central data center of the bank.
Access to the web server is permitted only to authorised users.
· To protect the web server from unauthorised use and abuse, the traffic is necessarily
to go past a firewall. The firewall is designed in such a fashion that only traffic
addressed to the web server through the authorised port is permitted.
· An individual who accesses the website of bank through the browser will be able to
access the web server and there will be a display of the bank’s web page on the
screen of the client’s computer.
· The web page will also provide all information generally of interest to the public. The
web page also will have a specified area wherein a mention of user ID and password
will be made.
· The password will not be displayed in plain text but will only be in an encrypted form.
· The web server forwards the customer details to the internet banking applications
server which in turn accesses the IDBS. The server has already the database of all
the customers who have been provided with internet banking facility. For each
customer, it would be having details about user ID and password.
· The information received from the web server is verified with the data of the customer
held in the internet banking (IBAS).
· Should the information not tally, the message ‘access denied’ would appear giving the
reason giving the ‘user ID/ password incorrect’. The customer realising the mistake
may rectify the mistake and make another attempt.
· Normally, three such attempts would be permitted. After three attempts, the customer
will be logged out for security reasons. If more attempts are permitted, there is a
possibility of a person just trying out different combination of user ID and password to
break into the system.
· Based on the authentication check, the Internet Banking Application Server (IBAS)
sends an acknowledgement to the web server. The web server displays the message.
Once the authentication process is completed correctly, the customer is provided
internet banking facility, which would include:
(a) Password change
(b) Balance inquiry
(c) Fund transfer
(d) Request for cheque book
(e) Stop payment
(f) Copy of statement of account; and
(g) ATM/ Credit Card related queries
· The customer then chooses one of the services from the list. The service requested is
directed by the web server to the IBAS for processing. The IBAS will access the
internet banking database server for further processing.

: 220 :
· The Internet Banking Channel Server (IBCS) will retrieve the data from the central
database server. The IBCS will be able to access the central database server only
through a middleware and firewall. The middleware is expected to convert the data to
suit the requirements of IBCS.
· Internet banking database server then forwards the customer data to the IBAS which
processes the transaction e.g., The statement of account from the central database
server is made available to the Internet Banking Database Server (IDBS). The IBCS
then sends the data to the IBAS. The IBAS then sends the same to the web browser
(Internet Explorer).
· The web server generates a dynamic web page for the service requested e.g., the
accounts statement generated by the web server and presented to Internet Explorer
(say) the information is then provided to the web browser in an encrypted form.

E-Commerce Transaction processing

41. Explain e-commerce transaction flow for approval of payments

Most of the e-Commerce transactions involve advance payment either through a credit
or debit card issued by a bank. The Fig. highlights flow of transaction when a customer
buys online from vendor’s e-commerce website.

E-Commerce Transaction flow for approval of payments

Risks associated with CBS

42. Explain risks associated with CBS
Once the complete business is captured by technology and processes are automated in
CBS, the Data Centre (DC) of the bank, and customers, management and staff are
completely dependent on the DC. From a risk assessment and coverage point of view, it

: 221 :
is critical to ensure that the Bank can impart advanced training to its permanent staff in
the core areas of technology for effective and efficient technology management.
· Ownership of Data/ process: Since the entire data resides at the Data Centre, any
authorized user may access any data sometimes beyond their access rights. Hence it
is required to establish clear ownership.
· Authentication procedure: This may be inadequate and hence user entering the
transaction may not be identifiable. Hence photo or ID and password required to be
provided by the individual and it has to be verified with photo, ID & password stored
in database server to check its authenticity.
· Authorization process: Once he is proved authenticated, level of access right
provided to every user has to be verified to check up to what extent he is authorized
to access.
· Several software interfaces across diverse networks: A Data Centre can have as
many as 75-100 different interface and application software.
· Maintaining response time: Maintaining the interfacing software and ensuring
optimum response time and up time can be challenging.
· User Identity Management: This could be a serious issue. Some Banks may have
more than 5000 users interacting with the CBS at once.
· Access Controls: Designing and monitoring access control is an extremely challenging
· Incident handling procedures: These may not be adequate considering the need for
real-time risk management.

IT related Risks and mitigating Controls

43. Explain the IT related risks & mitigating controls in the business perspective
There are multiple ways in which risks can be assessed. From a business perspective, the
risks that can be classified based on following Information criteria:
• Confidentiality: If critical data is lost and unauthorized disclosure happens, data
confidentiality is lost.
· Integrity: If critical data is unauthorized modified and provide incomplete or
inaccurate data due to errors in input or processing, data integrity will be affected.
· Availability: Information system is not available when required.
· Compliance: The information system does not comply with legal, regulatory,
contractual or internal compliance requirements.
· Reliability: If system will not provide accurate financial information, users lose
confidence in information system.

: 222 :
· Effectiveness: If system is not able to meet user requirement, it will affect
· Efficiency: If system is not responding within stipulated time, it will affect efficiency.

44. Explain the sub processes of data center and network operation to control IT
related risks.
• Backups and Restoring of data: To be done on regular basis as per back up policy.
• Job and Batch Scheduling and Processing: Running of various types of transactions
on regular basis as per pre-defined schedules. For example: Clearing of cheques,
interest computation is done at specified intervals.
• Monitoring of Applications and supporting Servers: The Servers and applications
running on them are monitored to ensure that servers, network connections and
application software along with the interfaces are working continuously.
• Value Add areas of Service Level Agreements (SLA): SLA with vendors are regularly
reviewed to ensure that the services are delivered as per specified performance
• User training and qualification of Operations personnel: The personnel deployed
have required qualifications, competencies and skill-sets to operate and monitor
the IT environment of CBS of bank.

45. Explain risks and Controls for Data Centre and Network Operations
Risks and Controls for Data Centre and Network Operations
Risks Key IT Controls
The transaction may not be recorded Batch and online processing procedures are
completely or accurately, and the related defined, executed and monitored for
items will be inaccurately or incompletely successful and timely completion.
recorded. Any exception is reviewed and timely
Invalid items may be recorded or valid Access to automated job scheduling tools,
items may be inaccurately or incompletely and executable programs are defined to
recorded. restrict to appropriate individuals as per
job requirement.
Timely and adequate technical support Entity has written agreement(s) with
may not be available and issues may not be outside contractors and/ or software
resolved. vendors to provide for technical support, as
Management monitors compliance with
these agreements.

: 223 :
User queries may not be timely and Help desk function exists to provide
adequately resolved. support on user queries regarding systems.
Problems are recorded and the log for
timely resolution of all such user queries is
Unavailability of applications and data All tapes, manuals, guides are properly
backups in the event of a disaster. It can labelled and timely stored in a secured
also result in disclosure of sensitive environmentally controlled location.
Data may be lost and systems may not be Schedule backup and storage of data is
recoverable in the event of a serious done periodically and appropriately.
system failure. This may result in Management periodically reviews backups
regulatory/ legal complaints, loss of are done as per back up policy and meet
reputation beside financial loss. business and legal requirements.

Information Security
Information security is critical to mitigate the risks of Information technology. Security
refers to ensure Confidentiality, Integrity and Availability of information.

46. Explain the sub processes of Information Security

· Information Security Policies, Procedures, and practices: Refers to the processes
relating to approval and implementation of information security. The security policy
is basis on which detailed procedures and practices are developed and implemented
at various units/department and layers of technology, as relevant. These cover all key
areas of securing information at various layers of information processing and ensure
that information is made available safely and securely.
· User Security Administration: Refers to security for various users of information
systems. The security administration policy documents define how users are created
and granted access as per organization structure and access matrix. It also covers
the complete administration of users right from creation to disabling of users is
defined as part of security policy.
· Application Security: Refers to how security is implemented at various aspects of
application right from configuration, setting of parameters and security for
transactions through various application controls.
· Database Security: Refers to various aspects of implementing security for the
database software.
· Operating System Security: Refers to security for operating system software which
is installed in the servers and systems which are connected to the servers.
· Network Security: Refers to how security is provided at various layers of network
and connectivity to the servers.
· Physical Security: Refers to security implemented through physical access controls.

: 224 :
47. Explain risks & controls for information security

Risks and Controls for Information Security

Risks Key IT Controls
Significant information resources may be Super user access or administrator
modified inappropriately, disclosed without passwords are changed on system
authorization, and/ or unavailable when installation and are available with
needed, (e.g., they may be deleted without administrator only.
authorization). Password of super user or administrator is
adequately protected.
Lack of management direction and Security policies are established and
commitment to protect information assets. management monitors compliance with
Potential Loss of confidentiality, availability Vendor default passwords for applications
and integrity of data and system. systems, operating system, databases, and
network and communication software are
appropriately modified, eliminated, or
User accountability is not established. All users are required to have a unique user
It is easier for unauthorized users to guess The identity of users is authenticated to the
the password of an authorized user and systems through passwords.
access the system and/ or data. This may The password is periodically changed, kept
result in loss of confidentiality, availability confidential and complex (e.g., password
and integrity of data and system. length, alphanumeric content, etc.)
Security breaches may go undetected. Access to sensitive data is logged and the
logs are regularly reviewed by
Inadequate preventive measure for key Environmental control like smoke detector,
server and IT system in case of fire extinguisher, temperature
environmental threat like heat, humidity, maintenance devices and humidity control
fire, flood etc. devices are installed and monitored in data

Application Software
In chapter 3 we covered Application controls. Here we are referring to risks & controls
specific to CBS.

: 225 :
48. Explain risks & controls for Application Software

Risks and Controls for Application Controls

Risks IT Controls
Interest may be incorrectly computed Interest is automatically correctly
leading to incorrect recording of income/ computed. Digits are rounded off
appropriately. Interest is accurately
Inappropriate reversal of charges resulting System does not permit reversal of the
in loss of revenue. charges in excess of the original amount
Multiple liens in excess of the deposit System prevents a single lien from
value may result in inability to recover the exceeding the deposit value.
outstanding in the event of a default.
It prevents marking of multiple liens
against the same deposit, thus preventing
the total liens exceeding the deposit
Inappropriate security or controls over Access for changes made to the
system parameter settings resulting in configuration, parameter settings is
unauthorized or incorrect changes to restricted to authorized user and require
settings. authorization/ verification from another
Inappropriate set up of accounts resulting The system parameters are set up as per
in violation of business rules. business process rules of the bank.
Failure to levy appropriate charges System does not permit closing of an
resulting in loss of revenue. Inappropriate account having zero balance without
levy of charges, resulting in customer recovering the applicable account closure
disputes. charges.
Incorrect classification and provisioning of Configuration/ customization exists in the
NPAs, resulting in financial misstatement. application to perform the NPA
classification as per relevant RBI guidelines.
Failure to levy appropriate charges The charges applicable for various
resulting in loss of revenue. transactions as per account types are
Inappropriate levy of charges, resulting in properly configured as per bank rules.
customer disputes. The Charges are as in compliances with RBI
and bank’s policies
Duplicate asset records may be created. Unique id is created for each asset.
Ownership of asset may not be clearly Each asset is assigned to specific business
established unit and user to establish ownership.

: 226 :
49. Explain the four gateways of Application software

Application Software whether it is a high-end CBS software, ERP software or a simple

accounting software, have primarily four gateways through which enterprise can control
functioning, access and use the various menus and functions of the software. These are
as follows:

· Configuration:
§ In CBS software, Configuration refers to the way a software system is set up for
use. Configuration is the first step after installing the software.
§ This involves setting up various parameters (configuration) as per policies and
business process rules.
§ The various modules of the bank such as advances, deposits, user access etc.
must be configured.
§ Configuration will define how software will function and what menu options are
§ Configuration will also enable how the products and services are distinguished
from each other.
§ Some examples of configuration are given here:
- Defining access rules from various devices/terminals.
- Creation of User Types
- Creation of Customer Type, Deposit Type, year-end process
- User Access & privileges - Configuration & its management
- Password Management
· Masters:
§ In a CBS software, Masters refer to the setting parameters for various types of
product and service type as per software modules used in the bank. The masters
are also referred to as standing data as these are changed only when required
and will require higher level of access.
§ The parameter settings in the masters will drive how the software will process
relevant transactions. For example, the interest parameters will be used for
computing interest for various type of deposits/advances.
§ After configuring the software, the masters are set up first time during
installation and these are changed whenever the business process rules or
values. For example: If RBI has changed the lending rates based on which bank
has decided to change the interest rates for specific type of advances, the
interest parameters are to be updated. Any changes to these data should be
authorized by appropriate personnel and these are logged and captured in

: 227 :
exception reports.
Some examples of masters are as follows:
- Customer Master for advances: Credit limit, loan period, interest rate,
penal interest rate, security offered, sanction terms, customer details, etc.
- Deposit Master: Interest rate, type of deposit, service charges, period of
interest computation, Minimum balance, withdrawal limits, a/c type (NRE/
NRO), etc.
- Customer Master: Customer type, details, address, PAN details,
- Employee Master: Employee Name, Id, designation, level joining details,
salary, leave, etc.
- Income Tax Master: Tax rates applicable, Slabs, frequency of TDS, etc.

· Transactions:
§ In CBS software, Transactions refer to the actual transactions of various products
and services which can be user using menus and functions and by customer
through internet/mobile banking.
§ The transactions are allowed based on user access and access authorization
matrix set.
§ For example, for each user, access to specific modules, type of transactions, and
what they can do: entry, authorize or view would be possible. Some examples of
transactions are given here:
- Deposit transactions: opening of a/c, deposits, withdrawals, interest
computation, etc.
- Advances transactions: opening of a/c, deposits, withdrawals, transfers,
closure, etc.
- ECS transactions: Entry, upload, authorize/approve, update, etc.
- General Ledger: Expense accounting, interest computation update, charges
update, etc.

· Reports:
§ Users at different levels use information which is processed by the computers.
This information could be in form of reports which are periodically generated or
on demand.
§ These reports could be standard or adhoc reports.
§ The reports could be used for monitoring the operations as also for tracking the
Some examples of reports are as follows:
- Summary of transactions of day

: 228 :
- Daily General Ledger (GL) of day
- Activity Logging and reviewing
- MIS report for each product or service
- Reports covering performance/compliance
- Reports of exceptions, etc.


· Banking Regulation Act

· RBI regulations
· Money Laundering Act
· Information technology Act

50. Write a short notes on Banking Regulation Act

· The Banking Regulation Act, 1949 is legislation in India that regulates all banking
firms in India. Initially, the law was applicable only to banking companies. But, in
1965 it was amended to make it applicable to cooperative banks and to introduce
other changes.
· The Act provides a framework using which commercial banking in India is supervised
and regulated.
· The Act gives the Reserve Bank of India (RBI) the power to license banks, have
regulation over shareholding and voting rights of shareholders; supervise the
appointment of the boards and management; regulate the operations of banks; lay
down instructions for audits; control moratorium, mergers and liquidation; issue
directives in the interests of public good and on banking policy, and impose
· In 1965, the Act was amended to include cooperative banks under its purview by
adding the Section 56. Cooperative banks, which operate only in one state, are
formed and run by the state government. But, RBI controls the licensing and
regulates the business operations. The Banking Act was a supplement to the previous
acts related to banking.
· RBI has been proactive in providing periodic guidelines to banking sector on how IT is
deployed. It also facilitates banks by providing specific guidelines on technology
frameworks, standards and procedures covering various aspects of functioning and
computerization of banks in India. RBI also provides the technology platform for
NEFT/ RTGS and other centralized processing from time to time.

: 229 :
Negotiable Instruments Act-1881 (NI Act)
· Under NI Act, Cheque includes electronic image of truncated cheque and a cheque in
the electronic form. The truncation of cheques in clearing has been given effect to
and appropriate safeguards in this regard have been set forth in the guidelines issued
by RBI from time to time.
· A cheque in the electronic form has been defined as “a mirror image” of a paper
cheque. The expression ‘mirror image’ is not appropriate and was misinterpreted in
many ways considered as actual mirror image or snapshot image of paper cheque.
· As per IT ACT 2000, under s/3 signature should be digital signature but finally in 2008
it was amended to include electronic signature.

51. Write short on RBI Regulations

· The Reserve Bank of India (RBI) was established on April 1, 1935 in accordance with
the provisions of the Reserve Bank of India Act, 1934.
· The basic functions of the Reserve Bank as:
§ to regulate the issue of Bank Notes;
§ keeping of reserves with a view to securing monetary stability in India and
§ to operate the currency and credit system of the country to its advantage.”
· The Primary objective of Banking & financial services is to undertake consolidated
supervision of the financial sector comprising commercial banks, financial institutions
and non-banking finance companies.

52. Explain key functions of RBI

· Monetary Authority: RBI Formulates, implements and monitors the monetary policy
with the objective of maintaining price stability and ensuring adequate flow of credit
to productive sectors.
· Regulator and supervisor of the financial system:
§ Prescribes broad parameters of banking operations within which the country’s
banking and financial system functions with the objective of maintaining public
confidence in the system, protect depositors’ interest and provide cost- effective
banking services to the public.
· Issuer of currency: Issues and exchanges or destroys currency and coins not fit for
circulation with the objective to give the public adequate quantity of supplies of
currency notes and coins and in good quality.

: 230 :
Impact of Technology in Banking
· The key components of banking business with controls are entirely covered under
the four areas namely business process, policies and procedures, regulatory
requirements and organization structure.
· However, in the CBS environment, technology is the encompasses all the four critical
components resulting in highly effective and efficient business operations and
controls to manage entire banking operations.
· Earlier, technology was a tool and used in specific department of the bank but now
with CBS, Technology has become all-pervasive and has become integral for doing
· The dependence on technology in a bank is also very high. If IT fails, then none of the
business processes can be performed.

Technology and Business Process Components

53. Write short note on money laundering

· Money Laundering is the process by which the proceeds of the crime and the true
ownership of those proceeds are concealed or made opaque so that the proceeds
appear to come from a legitimate source.
· The objective in money laundering is to conceal the existence, illegal source, or illegal
application of income to make it appear legitimate.
· Money laundering is commonly used by criminals to make “dirty” money appear
“clean” or the profits of criminal activities are made to appear legitimate.
· Sec.3 of PML Act, 2002 defines ‘money laundering’ as: “whosoever directly or
indirectly attempts to indulge or knowingly assists or knowingly is a party or is
actually involved in any process or activity connected with the proceeds of crime and
projecting it as untainted property shall be guilty of the offence of money-

: 231 :
Prevention of Money Laundering Act (PMLA)
· Under Section 12 of PMLA, every banking company, financial institution and
intermediary, (hereinafter referred to as such entities) is required to maintain a
record of transactions as may be prescribed by rules and furnish information to the
Director within such time as may be prescribed.
· The records to be maintained by such entities are set forth in rule 3 of PMLR. Such
records include record of cash transactions of value more than 10 lakhs or its
equivalent in foreign currency, integrally connected cash transactions taking place
within a month, cash transactions where forged or counterfeit notes are involved
and suspicious transactions of the nature described therein.
· Under rule 6 of PMLR, such records are to be maintained for a period of ten years
from the date of transaction.

54. Explain the key aspects of PMLA

The key aspects of PMLA are as follows:
§ Maintenance of record of all cash transactions above Rs. 10 lakhs. Such
information will be submitted to director every month before the 15th day of
succeeding month.
§ All series of cash transactions of value less than Rs. 10 lakhs integrally connected
if they have taken place within a month (aggregate value above Rs.10 lakhs).
Such information will be submitted to director every month before the 15th day
of succeeding month.
§ All cash transactions here forged or counterfeit notes have been used. Such
information will be submitted to director within 7 days of the date of occurrence
of the transaction.
§ All suspicious transactions made in cash or otherwise. Such information will be
submitted to director every month within a period of 7 working days on being
satisfied that the transaction is suspicious.

· As per Rule 9 of PMLR, every banking company, financial institution and

intermediary, as the case may be, shall, at the time of opening an account or
executing any transaction with it, verify and maintain the record of identity and
current address or addresses including permanent address or addresses of the client,
the nature of business of the client and his financial status.
Such entities are required to formulate and implement a client identification
programme which incorporates the requirements of the said rule. A copy of the said
identification programme is required to be forwarded to Director.

: 232 :
· Under section 13 of PMLA, the Director is empowered (without prejudice to any
other action that may be taken under PMLA) to impose a fine which shall not be less
than 10 thousand but which may extend to 1 lakh for each failure. Since the
imposition of fine by the Director is without prejudice to any other action that may
be taken under PMLA it is possible that such entities may be exposed to penalty also
under Section 63.
· In terms of Section 70 if the contravention is committed by such entities the officers
in charge of and responsible to the conduct of the business of such entity at the
relevant time are also liable to be proceeded with and punished.

It is therefore clear that such entities should have a robust system of keeping track of the
transactions of the nature referred to in Prevention of Money Laundering Act (PMLA) and
Prevention of Money Laundering Rules (PMLR) and report the same within the
prescribed period as aforesaid.

55. Explain the 3 stages of Money Laundering

The first stage involves the Placement of proceeds derived from illegal activities - the
movement of proceeds, frequently currency, from the scene of the crime to a place, or
into a form, less suspicious and more convenient for the criminal.

· Layering involves the separation of proceeds from illegal source using complex
transactions, through several banks involved in transfer of money between different
accounts in different accounts in different names in different countries, designed to
obscure the audit trail and hide the proceeds.
· The criminals frequently use shell corporations, offshore banks or countries with
loose regulation and secrecy laws for this purpose.
· It changes the form of money i.e. from black money to white money by purchasing
the assets by utilizing black money such as boats, houses, cars, diamonds etc.

· Integration involves conversion of illegal proceeds into apparently legitimate
business earnings through normal financial or commercial operations.
· For e.g. false invoices for goods exported, domestic loan against a foreign deposit,
purchasing of property.

: 233 :
Anti-Money laundering (AML) using Technology
· Negative publicity, damage to reputation and loss of goodwill, legal and regulatory
sanctions and adverse effect on the bottom line are all possible consequences of a
bank’s failure to manage the risk of money laundering.
· Banks face the challenge of addressing the threat of money laundering on multiple
fronts as banks can be used as primary means for transfer of money across
geographies. The challenge is even greater for banks using CBS as all transactions are
· With regulators adopting stricter regulations on banks and enhancing their
enforcement efforts, banks are using special fraud and risk management software to
prevent and detect fraud and integrate this as part of their internal process and daily
processing and reporting.

Financing of Terrorism
· Money to fund terrorist activities moves through the global financial system via
electronic transfers and in and out of personal and business accounts.
· It can sit in the accounts of illegitimate charities and be laundered through buying
and selling securities and other commodities.

Information Technology Act

I. Cyber Crimes
Cybercrime also known as computer crime is a crime that involves use of a
computer and a network.
Cybercrimes is defined as: “Offences that are committed against individuals or
groups of individuals with a criminal motive to intentionally harm the reputation
of the victim or cause physical or mental harm, or loss, to the victim directly or
indirectly, using modern telecommunication networks such as Internet (Chat
rooms, emails, notice boards and groups) and mobile phones.

56. Explain classification of cybercrimes as per United Nation’s manual

· Committing of a fraud by manipulation of the input, output, or throughput of a
computer based system.
· Computer forgery, which involves changing images or data stored in computers,
· Deliberate damage caused to computer data or programs through virus programs or
logic bombs,
· Unauthorized access to computers by ‘hacking’ into systems or stealing passwords,
· Unauthorized reproduction of computer programs or software piracy.
· Cybercrimes have grown big with some countries promoting it to attack another
country’s security and financial health.

: 234 :
II. Computer related offences

Section 43 provides for Penalty and compensation for damage to computer,

computer system, etc.
If any person without permission of the owner or any other person who is in-charge of a
computer, computer system or computer network, or computer resource:
· Accesses or secures access to such computer, computer system or computer
· Downloads, copies or extracts any data, computer database or information from
such computer, computer system or computer network including information or data
held or stored in any removable storage medium;
· Introduces or causes to be introduced any computer contaminant or computer virus
into any computer, computer system or computer network;
· Damages or causes to be damaged any computer, computer system or computer
network, data, computer database or any other programs residing in such computer,
computer system or computer network;
· Disrupts or causes disruption of any computer, computer system or computer
· Denies or causes the denial of access to any person authorized to access any
computer, computer system or computer network by any means;
· provides any assistance to any person to facilitate access to a computer, computer
system or computer network in contravention of the provisions of this Act, rules or
regulations made thereunder;
· Changes the services availed of by a person to the account of another person by
tampering with or manipulating any computer, computer system, or computer
· Destroys, deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means;
· Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or
alter any computer source code used for a computer resource with an intention to
cause damage;

shall be liable to pay damages by way of compensation to the person so affected.

Some examples of offences in IT Act which could impact banks are as follows:

: 235 :
Section 65: Tampering with Computer Source Documents
- knowingly or intentionally conceals, destroys or alters or
- intentionally or knowingly causes another to conceal, destroy or alter
any computer source code used for a computer, computer program, computer system or
computer network, when the computer source code is required to be kept or maintained
by law for the time being in force, shall be punishable with
- imprisonment up to three years, or
- with fine which may extend up to 2 lakh rupees, or
- with both.
The explanation clarifies “Computer Source Code” means the listing of programme,
Computer Commands, Design and layout and program analysis of computer resource in
any form.

Section 66: Computer Related Offences

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall
be punishable with imprisonment for a term which may extend to three years or with
fine which may extend to 5 lakh rupees or with both.

Section 66-B: Punishment for dishonestly receiving stolen computer resource or

communication device
Whoever dishonestly receives or retains any stolen computer resource or
communication device knowing or having reason to believe the same to be stolen
computer resource or communication device, shall be punished with imprisonment of
either description for a term which may extend to three years or with fine which may
extend to rupees one lakh or with both.

Section 66-C: Punishment for identity theft

Whoever, fraudulently or dishonestly make use of the electronic signature, password or
any other unique identification feature of any other person, shall be punished with
imprisonment of either description for a term which may extend to three years and shall
also be liable to fine which may extend to rupees one lakh.

Section 66-D: Punishment for cheating by personation by using computer

Whoever, by means of any communication device or computer resource cheats by
personation, shall be punished with imprisonment of either description for a term which
may extend to three years and shall also be liable to fine which may extend to one lakh

: 236 :
Section 66-E: Punishment for violation of privacy
Whoever, intentionally or knowingly captures, publishes or transmits the image of a
private area of any person without his or her consent, under circumstances violating the
privacy of that person, shall be punished with imprisonment which may extend to three
years or with fine not exceeding two lakh rupees, or with both
III. Sensitive Personal Data Information (SPDI)
Section 43A: Compensation for failure to protect data
Section 43A of the IT Amendment Act imposes responsibility for protection of
stakeholder information by body corporate. It states as follows:
“Where a body corporate, possessing, dealing or handling any sensitive personal
data or information in a computer resource, which it owns, controls or operates, is
negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person, such
body corporate shall be liable to pay damages by way of compensation, to the
person so affected”.
The IT Act has a specific category, “sensitive personal data or information,” which
consists of password, financial information (including bank account, credit card,
debit card or other payment details), physical, physiological and mental health
conditions, sexual orientation, medical records, and biometric information. This
legally obligates all stakeholders (i.e., any individual or organization that collects,
processes, transmits, transfers, stores or deals with sensitive personal data) to
adhere to its requirements.
IV. Privacy Policy
· Every bank deals captures Personal Information of customers as per definition
of IT Act. Hence, it is mandatory to ensure security of personal information.
· This information must be protected by maintaining physical, electronic, and
procedural safeguards by using appropriate security standards such as ISO
27001 to ensure compliance with regulatory requirements.
· Further, the employees of banks should be trained in the proper handling of
personal information.
· Even when such services are outsourced, the vendor companies who provide
such services are required to protect the confidentiality of personal
information they receive and process. This aspect must be contractually
agreed and the compliance of this monitored.
· The specific information collected is to be confirmed with the customers. The
type of information collected could be Non-Personal and Personal
Information. For example, when the customer visits the website of the bank,
information about the IP address of the device used to connect to the Internet
is collected. The Personal Information provided by customer such as name,
address, phone number, and email etc.

: 237 :